Authentication
This page covers proving who you are with NebCLI: signing in through your browser, managing the environment you work against, and checking the health of your session. To install and verify the binary first, see Installation.
Prerequisites
- NebCLI installed and on your
PATH. See Installation for the one-line installer and the verified manual recipe. - A NebCore account that is a member of your tenant. If sign-in is refused, ask your tenant administrator to grant you access.
- A terminal on macOS, Linux, or Windows.
Sign in
NebCLI signs you in through your browser using a device-code flow. NebCLI opens your browser, you log in with your identity provider (Auth0), and NebCLI saves a session on your computer.
nebcli login --tenant <your-tenant>
What happens:
- NebCLI opens the sign-in page in your browser.
- You log in and confirm the device code shown in your terminal.
- On success, NebCLI saves your session locally and sets up only the access you are allowed to have.
Signing in proves who you are. It does not by itself grant you everything. The platform still decides what your identity is permitted to do for each action.
When you are done, end the session:
nebcli logout
Show your current authentication state, including which environment is active:
nebcli auth status
Manage environments with contexts
NebCLI uses contexts to track which platform environment you are working against, the same way kubectl uses contexts for clusters. If you work against more than one environment, you switch between them instead of signing in again each time.
nebcli auth contexts # list every available context
nebcli auth use-context <name> # switch the active context
nebcli auth rename-context <old> <new>
Run the self-check
doctor runs a sweep of client-side checks against the auth surface and prints a specific fix for every problem it finds. Run it first whenever sign-in or connectivity is not behaving.
nebcli doctor
The checks are grouped into categories so you can see where a problem lies:
| Category | What it checks |
|---|---|
| Config | Your current context and any environment variables that could interfere with sign-in. |
| Endpoint and discovery | DNS resolution and a TCP connection to the platform and backend hosts. |
| Login state | Your session token decodes, has not expired, and can be refreshed live. |
| Membership | That your account carries the access your tenant requires. |
| Sessions | A live listing of your active sessions, with the current one marked. |
| Device fingerprint | Whether your session matches the version of NebCLI you are running. |
| Clock skew | Whether your machine's clock is close enough to the platform's. |
Each failing check prints its remediation inline. Add --output json for scripted alerting or evidence collection.
Manage sessions
List the sessions tied to your account and end any one of them. This is how you sign out a session on a laptop you no longer have.
nebcli sessions list
nebcli sessions revoke <session-id>
Keep your license current
NebCLI fetches your tenant's signed license and writes it locally, where NebGuard reads it to know which features are allowed. NebCLI refreshes the license on its own, including at sign-in, but you can force a refresh:
nebcli license refresh
Next steps
- Commands: every public command, grouped by task, plus exit codes.
- Examples: get temporary AWS access, validate a chart, refresh a credential.
- Credential brokering: how short-lived access works under the hood.