whet auth
Two distinct surfaces live under whet auth:
login/status— manage the agent token the CLI uses to call/api/agent/v1. Stored in~/.whet/config.json(permissions600).connect <platform>— drive an OAuth PKCE flow that links a platform account to the active backend organization. The token lives in the backend's encrypted vault; the CLI just orchestrates the browser handshake.
whet auth login
The CLI uses the local Whet Desktop instance by default — whet auth login is only needed when pointing at a remote Team / Enterprise
deployment.
whet auth login --token <agent-token> --base-url https://your-team.whet.so/api/agent/v1
| Flag | Required | Description |
|---|---|---|
--token, -t | yes | Agent token. On a local install Whet generates it on first launch and persists it in your OS keychain; on Team / Enterprise it's issued from the workbench under Settings → Agent tokens. 64-character hex, no prefix. |
--base-url, -u | no | Agent API base URL. Default http://localhost:7891/api/agent/v1 (the local Whet Desktop instance). |
The token is never printed in full. If you pass it on the command line, be careful that it doesn't end up in ~/.zsh_history (use a password manager or paste manually from the banner).
whet auth status
Shows the current configuration (masked token).
$ whet auth status
Base URL · http://localhost:3000/api/agent/v1
Token · 7a3f4b2c…e2d8 (64 chars hex)
auth status only reads the local file — it does not ping the deployment. To verify the deployment is alive, call any real command (for example whet inbox <pipeline_id>) and check the response, or run whet doctor for a full diagnostic.
whet auth connect
Connect a platform account to the active backend organization via OAuth 2.0 PKCE. The backend mints the authorize URL; the CLI opens your browser and listens on http://localhost:11789 for the callback. When the exchange completes, the backend persists the refresh + access tokens encrypted; the CLI never sees them.
whet auth connect <platform>
| Flag | Description |
|---|---|
--backend-base-url <url> | Override BACKEND_BASE_URL (defaults to env or http://localhost:3100). |
--api-key <key> | Backend Bearer key. Falls back to WHET_API_KEY. |
--no-open | Skip the auto-browser open — print the authorize URL instead. Useful over SSH or when piping. |
--timeout <seconds> | How long to wait for the callback before giving up. Default 300 (5 min). |
If the callback never arrives the CLI exits non-zero with auth.timeout. The half-finished oauth_state row in the backend is cleaned up by the next OAuth init.
The <platform> argument selects which OAuth provider to drive. The set of supported platforms depends on which adapters are installed in your deployment — run whet adapters list to see which connect <platform> flows are wired up.
Rotating the agent token
Open Settings → Agent tokens in the workbench and click Rotate. The old token is revoked immediately; the new one shows once for you to copy. On the CLI:
whet auth login --token <new-agent-token>
For Team / Enterprise deployments, the workbench admin manages rotation centrally — same flow from the admin console.
Revoking OAuth credentials
auth connect only adds credentials. To revoke one, use the backend endpoint:
curl -X DELETE \
-H "Authorization: Bearer $WHET_API_KEY" \
"$BACKEND_BASE_URL/oauth/credentials/<credential-id>"
Revoked credentials are kept (soft-delete) for audit; they stop being used by adapters immediately.
Notes
- There is no environment variable support yet (
WHET_TOKEN,WHET_BASE_URL) nor a--config <path>override. The CLI only reads~/.whet/config.json. auth connectrequires the local instance to have valid OAuth client credentials configured for the platform you're linking. Configure them under Settings → Connected accounts in the workbench.- If port
11789is in use (rare), kill the process holding it before re-runningwhet auth connect. The port is not configurable today; open an issue if this blocks a flow.