Skip to main content
The Affonso CLI supports two authentication methods. You can use either one depending on your use case. OAuth is the recommended method for interactive use. It opens your browser for secure authentication via OAuth 2.1 with PKCE. 
affonso login
After authenticating, tokens are stored locally in ~/.config/affonso/auth.json. The CLI automatically refreshes expired tokens. 
affonso whoami     # check your current session
affonso logout     # revoke token and clear credentials
OAuth tokens are scoped to your account and automatically refreshed. You don’t need to manage API keys.

API key

For non-interactive use (scripts, CI/CD, AI agents), you can authenticate with an API key. There are three ways to provide it: 
affonso affiliates list --api-key sk_live_...
Never commit API keys to version control or share them publicly. Use environment variables in CI/CD pipelines.

Auth priority

When multiple methods are configured, the CLI uses this priority order:
  1. --api-key flag (highest)
  2. AFFONSO_API_KEY environment variable
  3. Stored config (affonso config set api-key)
  4. OAuth token (lowest)

API key formats

EnvironmentFormat
Productionsk_live_ + 32 characters
Developmentsk_dev_ + 32 characters
You can create API keys in your Affonso dashboard.