> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nylio.app/llms.txt
> Use this file to discover all available pages before exploring further.

# CLI authentication

> How the Nylio CLI authenticates using OAuth 2.1 with PKCE, including login, session management, and environment overrides.

The CLI uses OAuth 2.1 Authorization Code with PKCE.

## Login

```bash theme={null}
nylio login
```

By default, the CLI opens a browser and waits for the OAuth callback on `http://127.0.0.1:39123/callback`.

If you do not want the CLI to open a browser automatically:

```bash theme={null}
nylio login --print-url
```

## Session state

Check the locally stored session without making an API request:

```bash theme={null}
nylio auth status
nylio whoami
```

## Logout

Clear local credentials:

```bash theme={null}
nylio logout
```

## Environment and overrides

* `BETTER_AUTH_URL` changes the default API origin
* `NYLIO_OAUTH_CLI_CLIENT_ID` overrides the OAuth client id
* `--api-base-url <url>` overrides the API origin per command

## Notes

* Access tokens refresh automatically when a refresh token is available.
* If the stored token is missing or expired without a refresh token, the CLI asks you to log in again.
* The CLI requests the public API audience, not the MCP audience.