kite auth
Store credentials, exchange tokens for a session, inspect state, and wipe credentials.
Stored in the OS keyring under the kite-cli: prefix. See Concepts › Secret storage.
Commands
Section titled “Commands”| Command | Purpose |
|---|---|
kite auth configure --api-key <key> --api-secret <secret> |
Store Kite app credentials. Does not create a session. |
kite auth login [--api-key <key>] [--api-secret <secret>] [--port 17890] [--timeout-seconds 180] [--no-open] |
Open (or print) the login URL, wait for callback, store a fresh access token. |
kite auth browser-login [same flags as login] |
Explicit browser-login variant of auth login. |
kite auth exchange --request-token <token> [--api-secret <secret>] |
Exchange a request token for an access token. |
kite auth status |
Show stored credential / session booleans. |
kite auth logout [--forget-app] |
Remove the stored session, optionally app credentials too. |
One-time app-credential setup
Section titled “One-time app-credential setup”kite auth configure --api-key <api_key> --api-secret <api_secret> --json --no-colorPrints { "configured": true, "callbackUrl": "http://127.0.0.1:17890/" }. Does not create
a session — run auth login next.
Daily browser login
Section titled “Daily browser login”Kite sessions expire every day. Use auth login to refresh.
kite auth login --json --no-color # opens browser, waits for callbackkite auth login --no-open --json --no-color # prints URL only — wait for the callback to reach this same machineThe CLI spins up a small TcpListener on 127.0.0.1:17890. Configure your Kite app’s
redirect URL to http://127.0.0.1:17890/. Override the port with --port <number>.
When the callback can never reach your machine
Section titled “When the callback can never reach your machine”For headless boxes / restricted WSL where the callback cannot reach the CLI, never start a
waiting login command. Ask the operator to obtain a Kite request_token through an external
login flow, then exchange it:
kite auth exchange --request-token <request_token> --json --no-colorIf an --api-secret is already stored, --api-secret defaults to the stored secret — you
only need to pass --request-token.
Half-configured login
Section titled “Half-configured login”auth login --api-key <key> with no secret stores the api key and prints the login URL plus a
“store an api secret to enable one-command login” hint, but does not wait for the callback.
Useful for setups where you want to share the URL out-of-band.
Status
Section titled “Status”kite auth status --json --no-color{ "apiKeyStored": true, "apiSecretStored": true, "accessTokenStored": true, "authenticated": true}Only booleans are printed — never the secret values themselves.
Logout
Section titled “Logout”kite auth logout --json --no-color # removes only the access token (keep creds for next login)kite auth logout --forget-app --json --no-color # removes api key, api secret, AND access token