Skip to content

Authentication

lb supports two authentication methods: browser-based OAuth (interactive) and API key (non-interactive).

Run lb login to authenticate:

Terminal window
lb login

The CLI opens your default browser to the LoomBrain dashboard login page. After you complete login, the browser redirects to a local callback server, and the CLI writes credentials to disk. The browser window can be closed.

The flow times out after 5 minutes if no callback is received.

When a TTY is not available or certain environment variables are set, lb detects that it is running non-interactively and skips the browser flow. Non-interactive mode is triggered by any of the following:

| Signal | Description | |--------|-------------| | SSH_CONNECTION set | Running over SSH | | SSH_CLIENT set | Running over SSH (older clients) | | SSH_TTY set | SSH with a TTY allocated | | CI=true set | Running in CI | | LB_NON_INTERACTIVE=1 set | Explicitly forced |

In non-interactive mode, lb login exits with an error. Use API key auth instead.

You can also force non-interactive mode explicitly:

Terminal window
lb login --non-interactive

Generate an API key in the LoomBrain dashboard under Settings → API Keys, then export it as an environment variable:

Terminal window
export LB_TOKEN=lbk_...

When LB_TOKEN is set, the CLI uses it directly on every request. No lb login step is required. This is the recommended approach for CI pipelines, scripts, and server environments.

OAuth credentials are stored in:

~/.config/loombrain/config.json

The file contains the refresh token and cached access token. It is created on first successful lb login and updated automatically on token refresh.

| Token | Lifetime | Notes | |-------|----------|-------| | Access token | 15 minutes | Sent as Authorization: Bearer on every request | | Refresh token | 30 days | Stored in config file; used to obtain a new access token silently |

Token refresh is automatic. When a request fails with 401 and a refresh token is available, the CLI exchanges it for a new access token and retries the request transparently. If the refresh token is expired or revoked, lb prompts you to run lb login again.