culvii login
Log in to the Culvii CLI via OAuth.
Synopsis
culvii login
culvii auth login # alias
Description
Opens the user's browser to the Culvii login page (AWS Cognito, federated through Google). Uses OAuth 2.0 Authorization Code flow with PKCE (RFC 7636). The CLI starts a one-shot loopback HTTP server on 127.0.0.1 to receive the authorization code, then exchanges it with Cognito over HTTPS. Tokens are written atomically to ~/.culvii/tokens.json (mode 0600).
After token exchange, the CLI calls GET /auth/me to fetch all orgs the user belongs to. If you belong to multiple orgs, you'll be prompted to select one as the active context. All orgs are written to ~/.culvii/config — use culvii switch to change the active one later without re-logging in.
No flags. Interactive only.
Behaviour
- 5-minute timeout: if the browser flow isn't completed, exits with "Authentication timed out."
- On state mismatch (possible CSRF): exits with "Auth response mismatch — possible CSRF, aborting."
- Tokens are only deleted when Cognito returns
invalid_grant.
Examples
culvii login
# → Opens browser
# → (if multiple orgs) You belong to multiple tenants. Please select one:
# → [1] Culvii Dev
# → [2] Acme Corp
# → 1
# → ✓ Authenticated
# → alice@acme.com
# → Culvii Dev · owner
Related commands
culvii logout, culvii whoami, culvii switch