dhan auth
The Dhan CLI distinguishes two HTTP hosts:
https://auth.dhan.co/for consent / token-generation flows (its own header style), andhttps://api.dhan.co/v2/for the trading API (access-tokenandclient-idheaders on every request).
Secrets are stored in the OS keyring under the dhan-cli: prefix. See
Concepts › Secret storage.
Commands
Section titled “Commands”| Subcommand | Purpose |
|---|---|
dhan auth configure --client-id <id> --access-token <token> |
Store client id and access token in the OS secret store. The simplest flow — bring your own token. |
dhan auth status |
Show whether client-id / access-token are stored and the authenticated flag. |
dhan auth login --client-id <id> --app-id <id> --app-secret <secret> [--port 17890] [--timeout-seconds 180] [--no-open] |
Browser consent (app/API-key) flow → store token. |
dhan auth consume --token-id <id> --app-id <id> --app-secret <secret> |
Exchange a tokenId from manual consent login for an access token. |
dhan auth totp --client-id <id> --pin <pin> --totp <totp> |
PIN + TOTP login — no browser. |
dhan auth partner-login --partner-id <id> --partner-secret <secret> [--port] [--timeout-seconds] [--no-open] |
Partner browser consent flow. |
dhan auth partner-consume --token-id <id> --partner-id <id> --partner-secret <secret> |
Exchange a partner tokenId. |
dhan auth renew |
Renew the currently active access token (adds a dhanClientId header in addition to client-id and access-token). |
dhan auth logout [--forget-client-id] |
Without flag: clears only the access token. With flag: clears both client id and token. |
Bring your own token
Section titled “Bring your own token”dhan auth configure --client-id 1000000123 --access-token xyz... --json --no-colordhan auth status --json --no-colordhan auth logout --forget-client-id --json --no-color # wipe everythingBrowser consent flow
Section titled “Browser consent flow”# Auto-opens the browser and waits for the loopback callbackdhan auth login --client-id C --app-id A --app-secret S --json --no-color
# Print the URL only — useful on headless boxes where you can complete login elsewheredhan auth login --client-id C --app-id A --app-secret S --no-open --json --no-colorThe redirect URL in the Dhan portal must be http://127.0.0.1:17890/ (default). Override
the port with --port or dhan config set redirectPort <port>.
Manual fallback when the callback can’t reach the CLI
Section titled “Manual fallback when the callback can’t reach the CLI”If the loopback server can’t be reached (sandbox, restricted WSL), copy the tokenId from
the browser URL and use:
dhan auth consume --token-id <tokenId> --app-id A --app-secret S --json --no-colorPIN + TOTP (no browser)
Section titled “PIN + TOTP (no browser)”dhan auth totp --client-id C --pin 1234 --totp 567890 --json --no-colorCalls app/generateAccessToken.
Partner flow
Section titled “Partner flow”dhan auth partner-login --partner-id <id> --partner-secret <secret> --json --no-colordhan auth partner-consume --token-id <tokenId> --partner-id <id> --partner-secret <secret> --json --no-colordhan auth renew --json --no-colorThe RenewToken endpoint adds a dhanClientId header in addition to the usual client-id
and access-token headers used on the v2 surface.