Skip to main content

Overview

Loom CLI uses OAuth2 device code flow for secure, user-friendly authentication. This method is ideal for command-line tools as it doesn’t require embedding client secrets or handling browser redirects.

Authentication Flow

Device Code Flow

Commands

login

Authenticate with Loom services.
--server-url
string
required
Loom server URL to authenticate againstExample: https://loom.ghuntley.com
Example:
Output:
Process:
  1. CLI initiates device code flow with server
  2. Server generates:
    • device_code: Secret code for polling (not shown to user)
    • user_code: Short code for user to enter (e.g., “ABCD-1234”)
    • verification_url: URL where user authorizes
    • expires_in: Timeout in seconds (typically 300-600)
  3. CLI displays verification URL and user code
  4. CLI attempts to open URL in default browser
  5. CLI polls server every 1 second until:
    • User completes authorization → receives access token
    • Flow expires → returns error
    • User cancels with Ctrl+C → aborts
  6. Access token is stored securely

logout

Log out and clear credentials.
--server-url
string
required
Loom server URL to log out from
Example:
Output:
Process:
  1. CLI loads stored token for the server URL
  2. Calls POST /auth/logout with token to invalidate server-side
  3. Deletes token from local credential store
  4. Token can no longer be used for API calls

Credential Storage

Storage Strategy

Loom uses a keyring-first, file-fallback strategy:
  1. Primary: System Keyring
    • macOS: Keychain
    • Windows: Credential Manager
    • Linux: Secret Service (libsecret, gnome-keyring, KWallet)
  2. Fallback: Encrypted File
    • Location: ~/.config/loom/credentials.json
    • Used when keyring is unavailable
    • Permissions: 0600 (owner read/write only)

Credential Format

Credentials are stored per-server using a sanitized server key:
Sanitization replaces all non-alphanumeric characters with underscores to ensure valid keyring/filename.

Security Features

  1. Keyring Integration: Leverages OS-level secure storage
  2. File Permissions: Restrictive permissions on fallback file
  3. Token Redaction: Tokens are never logged or displayed
  4. Server Isolation: Each server’s credentials are stored separately

Multiple Servers

You can authenticate with multiple Loom servers:
Each server’s credentials are stored independently.

Token Management

Token Lifecycle

Token Expiration

Loom access tokens may expire after a period (configured server-side). When a token expires:
  1. API calls return 401 Unauthorized
  2. CLI displays authentication error
  3. Run loom login again to obtain a new token
Example:

Token Inspection

Tokens are opaque strings and should not be inspected or manipulated manually.
Never share your access token. It grants full access to your account.

Error Handling

Common Errors

Browser Failed to Open:
Solution: Copy and paste the URL into your browser manually. Device Code Expired:
Solution: Run loom login again. Complete authorization faster (typically 5-10 minute window). Network Error:
Solutions:
  • Verify server URL is correct
  • Check network connectivity
  • Ensure server is running
User Cancelled:
Occurs when pressing Ctrl+C during device code flow. Safe to ignore.

Troubleshooting Authentication

Check Server Connectivity:
Verify Credentials File:
Check Keyring Status (Linux):
Delete and Re-authenticate:

Advanced Usage

Environment Variable

Set default server URL:

Programmatic Access

The loom-cli-credentials crate can be used in other Rust programs:

Git Credential Helper

Loom can act as a git credential helper for authenticated git operations:
See loom credential-helper --help for details.

Security Best Practices

Do’s

  1. ✅ Use strong, unique passwords for your Loom account
  2. ✅ Log out from shared/public computers
  3. ✅ Keep your system’s keyring/credential manager secure
  4. ✅ Regularly update Loom CLI to latest version
  5. ✅ Use different accounts for different environments (prod/staging)

Don’ts

  1. ❌ Never share your access token
  2. ❌ Never commit credentials.json to version control
  3. ❌ Never use same token on multiple machines (login separately)
  4. ❌ Never set overly permissive file permissions on credentials.json
  5. ❌ Never disable certificate validation in production

Internationalization

Authentication messages are localized based on system locale: English (en):
Spanish (es):
Supported Languages:
  • English (en)
  • Spanish (es)
  • Arabic (ar)

CLI Overview

Main CLI commands and setup

REPL Commands

Interactive session after authentication