Skip to main content
crcli uses OAuth 2.0 device flow. Your token is stored in the OS keychain — no plaintext credentials, no repeated logins.
Device authorization grant must be enabled for your tenant before crcli auth login will work. If login fails with an authorization error, contact your Cloud.Red administrator or support to enable it.

Log In

crcli auth login
A browser window opens automatically. Complete the login flow in your browser. crcli detects the completion and stores the token securely.
If the browser doesn’t open automatically, the command prints a URL you can paste manually.

Check Status

crcli auth status
Shows whether you’re authenticated and when the token expires.

Log Out

crcli auth logout
Removes the stored token from the OS keychain.

Token Storage

Tokens are stored in the OS keychain (Keychain on macOS, Secret Service on Linux, Windows Credential Manager on Windows). They are never written to disk in plaintext. crcli automatically refreshes expired tokens. If the refresh fails, it re-runs the device flow and opens the browser again.

Environments

By default crcli connects to the production environment. To use staging: 
crcli --env staging <command>
--envAPI URLAuth URL
prod (default)https://{tenant}.portal.cloud.redhttps://auth.cloud.red
staginghttps://{tenant}.staging.cloud.redhttps://auth-staging.cloud.red
Each environment stores its token separately, so you can be logged in to both at once.