CLI authentication

The CLI needs a loomta_sk_… key for every command except auth:login. There are three ways to provide one, listed from most convenient (humans) to most automation-friendly (CI / agents).

Best for interactive use. Opens a browser, you approve, and the CLI saves a key.

loomta auth:login

It prints a confirmation code (LMT-XXXX-XXXX), opens https://loomta.com/cli-auth, waits while you sign in and pick a workspace, then writes the minted key to ~/.loomta/credentials.json. Under the hood this is the device authorization flow.

Headless / SSH / containers — if no browser can open, pass --no-browser (or it falls back automatically) and the CLI prints a URL and code to enter on any other device:

loomta auth:login --no-browser

2. Non-interactive API key

Best for CI and agents. Pass an existing key; the CLI validates it against the API before saving.

loomta auth:login --api-key loomta_sk_xxx

3. Environment variable

No saved file at all — set the key per shell. This wins over a saved file.

export LOOMTA_API_KEY=loomta_sk_xxx
# optional: point at a non-default host
export LOOMTA_API_URL=https://api.loomta.com

Resolution order

The CLI resolves credentials in this order:

LOOMTA_API_KEY (and optional LOOMTA_API_URL) from the environment.
~/.loomta/credentials.json (written by auth:login).

LOOMTA_API_URL from the environment always overrides the host saved in the file.

The credentials file


Path	`~/.loomta/credentials.json`
Permissions	`0600` (owner read/write); the `~/.loomta` directory is `0700`
Shape	`{ "apiKey": "loomta_sk_…", "apiUrl": "https://api.loomta.com" }`

Check and clear

loomta auth:status   # validates the current key, shows the source (env|file)
loomta auth:logout   # deletes ~/.loomta/credentials.json

auth:logout only removes the saved file; it does not revoke the key. To revoke, use the dashboard (Settings → API Keys).