Skip to content

kite auth

Store credentials, exchange tokens for a session, inspect state, and wipe credentials. Stored in the OS keyring under the kite-cli: prefix. See Concepts › Secret storage.

Command Purpose
kite auth configure --api-key <key> --api-secret <secret> Store Kite app credentials. Does not create a session.
kite auth login [--api-key <key>] [--api-secret <secret>] [--port 17890] [--timeout-seconds 180] [--no-open] Open (or print) the login URL, wait for callback, store a fresh access token.
kite auth browser-login [same flags as login] Explicit browser-login variant of auth login.
kite auth exchange --request-token <token> [--api-secret <secret>] Exchange a request token for an access token.
kite auth status Show stored credential / session booleans.
kite auth logout [--forget-app] Remove the stored session, optionally app credentials too.
Terminal window
kite auth configure --api-key <api_key> --api-secret <api_secret> --json --no-color

Prints { "configured": true, "callbackUrl": "http://127.0.0.1:17890/" }. Does not create a session — run auth login next.

Kite sessions expire every day. Use auth login to refresh.

Terminal window
kite auth login --json --no-color # opens browser, waits for callback
kite auth login --no-open --json --no-color # prints URL only — wait for the callback to reach this same machine

The CLI spins up a small TcpListener on 127.0.0.1:17890. Configure your Kite app’s redirect URL to http://127.0.0.1:17890/. Override the port with --port <number>.

When the callback can never reach your machine

Section titled “When the callback can never reach your machine”

For headless boxes / restricted WSL where the callback cannot reach the CLI, never start a waiting login command. Ask the operator to obtain a Kite request_token through an external login flow, then exchange it:

Terminal window
kite auth exchange --request-token <request_token> --json --no-color

If an --api-secret is already stored, --api-secret defaults to the stored secret — you only need to pass --request-token.

auth login --api-key <key> with no secret stores the api key and prints the login URL plus a “store an api secret to enable one-command login” hint, but does not wait for the callback. Useful for setups where you want to share the URL out-of-band.

Terminal window
kite auth status --json --no-color
{
"apiKeyStored": true,
"apiSecretStored": true,
"accessTokenStored": true,
"authenticated": true
}

Only booleans are printed — never the secret values themselves.

Terminal window
kite auth logout --json --no-color # removes only the access token (keep creds for next login)
kite auth logout --forget-app --json --no-color # removes api key, api secret, AND access token