Scirix cli Documentation

Log in

02 / 04

scirix-cli authenticates against the Scirix API with a Personal Access Token issued through a browser-consented PKCE flow. The token is stored on disk under your OS config directory and used as the bearer for every subsequent API call.

First login

scirix login

(Or scirix auth login — both are equivalent.) This:

  1. Starts a token-issuance flow against the Scirix API.
  2. Opens your default browser at the consent page on ui.scirix.fi.
  3. Polls for approval. You click Approve on the consent page; the CLI prints a confirmation when the token is exchanged and saved.

If the machine has no browser (SSH session, headless server, etc.), the script prints the consent URL — open it on any browser with network reach and approve there. The CLI keeps polling until you approve, deny, or the flow expires.

Custom token label

By default tokens are labelled scirix-auth on <hostname> so you can recognise them later. Override with --label:

scirix login --label "my-laptop / read-only ops"

The label is the only thing distinguishing tokens in the Tokens UI and scirix auth tokens output, so pick something specific if you'll have several.

Verify

scirix auth whoami

Prints the user identity, the token label, and the number of scopes the token carries. If you can run this without an error, you're signed in.

Listing and revoking tokens

scirix auth tokens               # list all your active tokens
scirix auth revoke <tokenId>     # revoke one
scirix auth logout               # revoke the current token + delete the local file

scirix auth tokens shows the label, scopes, last-used timestamp, and the id you'd pass to revoke. The same view is available in the Scirix UI's account settings — both are kept in sync.

Where the credentials live

scirix auth login stores your access token in the OS keyring whenever one is available:

  • macOS — Keychain
  • Windows — Credential Manager
  • Linux — Secret Service (GNOME Keyring, KWallet, etc.)

The token shows up under the keyring entry service scirix, account credentials if you want to inspect or revoke it from the OS-level tooling.

If no keyring is reachable (a headless server, a container without a running Secret Service, a locked-down CI runner), the token is written to a permission-restricted file under your state directory instead:

OSFallback file path
Linux${XDG_STATE_HOME:-~/.local/state}/scirix/credentials.json
macOS~/Library/Application Support/scirix/credentials.json
Windows%LOCALAPPDATA%\scirix\credentials.json

scirix auth login prints which of the two paths was used so there's no guessing.

Next

Most queries are scoped to a single namespace — head to Usage to pick one and start running commands.