Skip to main content

Authentication

This page covers proving who you are with NebCLI: signing in through your browser, managing the environment you work against, and checking the health of your session. To install and verify the binary first, see Installation.

Prerequisites

  • NebCLI installed and on your PATH. See Installation for the one-line installer and the verified manual recipe.
  • A NebCore account that is a member of your tenant. If sign-in is refused, ask your tenant administrator to grant you access.
  • A terminal on macOS, Linux, or Windows.

Sign in

NebCLI signs you in through your browser using a device-code flow. NebCLI opens your browser, you log in with your identity provider (Auth0), and NebCLI saves a session on your computer.

nebcli login --tenant <your-tenant>

What happens:

  1. NebCLI opens the sign-in page in your browser.
  2. You log in and confirm the device code shown in your terminal.
  3. On success, NebCLI saves your session locally and sets up only the access you are allowed to have.
note

Signing in proves who you are. It does not by itself grant you everything. The platform still decides what your identity is permitted to do for each action.

When you are done, end the session:

nebcli logout

Show your current authentication state, including which environment is active:

nebcli auth status

Manage environments with contexts

NebCLI uses contexts to track which platform environment you are working against, the same way kubectl uses contexts for clusters. If you work against more than one environment, you switch between them instead of signing in again each time.

nebcli auth contexts # list every available context
nebcli auth use-context <name> # switch the active context
nebcli auth rename-context <old> <new>

Run the self-check

doctor runs a sweep of client-side checks against the auth surface and prints a specific fix for every problem it finds. Run it first whenever sign-in or connectivity is not behaving.

nebcli doctor

The checks are grouped into categories so you can see where a problem lies:

CategoryWhat it checks
ConfigYour current context and any environment variables that could interfere with sign-in.
Endpoint and discoveryDNS resolution and a TCP connection to the platform and backend hosts.
Login stateYour session token decodes, has not expired, and can be refreshed live.
MembershipThat your account carries the access your tenant requires.
SessionsA live listing of your active sessions, with the current one marked.
Device fingerprintWhether your session matches the version of NebCLI you are running.
Clock skewWhether your machine's clock is close enough to the platform's.

Each failing check prints its remediation inline. Add --output json for scripted alerting or evidence collection.

Manage sessions

List the sessions tied to your account and end any one of them. This is how you sign out a session on a laptop you no longer have.

nebcli sessions list
nebcli sessions revoke <session-id>

Keep your license current

NebCLI fetches your tenant's signed license and writes it locally, where NebGuard reads it to know which features are allowed. NebCLI refreshes the license on its own, including at sign-in, but you can force a refresh:

nebcli license refresh

Next steps

  • Commands: every public command, grouped by task, plus exit codes.
  • Examples: get temporary AWS access, validate a chart, refresh a credential.
  • Credential brokering: how short-lived access works under the hood.