Authentication
exalsius requires authentication to interact with the platform. The exls login command authenticates you and stores credentials in your system keyring. Use exls logout to remove them.
Log in
exls login
The CLI asks for your email address. Based on the email domain, exalsius routes you to your organization's SSO provider (e.g., Google Workspace, GitHub, Okta, Microsoft Entra ID). If your organization does not use SSO, you are directed to the default exalsius login page.
After entering your email, the CLI auto-detects the best authentication flow for your environment:
- PKCE (browser) — used when a graphical browser is available. Opens a browser tab to complete authentication via your SSO provider.
- Device code (headless) — used on servers or CI systems without a browser. Displays a device code and QR code so you can authenticate from another device.
If PKCE times out (for example, the browser did not open), the CLI automatically falls back to the device code flow.
Override the authentication flow
Use --auth-flow to force a specific flow:
exls login --auth-flow device_code
Available values: pkce, device_code, auto (default).
Log out
exls logout
This removes all stored authentication tokens from the system keyring. If you are not currently logged in, the command exits with an informational message.
How credentials are stored
exalsius stores authentication tokens (access token, ID token, refresh token, and expiry) in your operating system's keyring under the service name exalsius_cli. The keyring backend depends on your OS:
- macOS — Keychain
- Linux — Secret Service (e.g., GNOME Keyring, KWallet)
- Windows — Windows Credential Locker
No tokens are written to disk as plain text.
Troubleshooting
exls login opens a browser but authentication fails
Verify that you have an active exalsius account. During the closed beta, reach out to run.it@exalsius.ai to request access.
exls login hangs on a headless server
The CLI may be attempting the PKCE flow. Force the device code flow:
exls login --auth-flow device_code
Failed to store token or Failed to load token
The system keyring is not available or not unlocked. On Linux, ensure a Secret Service provider (GNOME Keyring, KWallet) is running. On headless Linux systems, you may need to configure keyrings.alt or keyring --disable and use an alternative backend.
Switching accounts
Log out first, then log in with the new account:
exls logout
exls login
Reference
exls login
exls login [OPTIONS]
| Flag | Default | Description |
|---|---|---|
--auth-flow |
auto |
Authentication flow: pkce, device_code, or auto |
exls logout
exls logout
No options. Removes stored tokens from the system keyring.