CLI Authentication
The doover login command authenticates you with the Doover platform using an OAuth2 device authorisation flow. Your credentials are saved to a named profile in ~/.doover/config and reused automatically for subsequent commands.
Login
doover login
This triggers the device authorisation flow:
- The CLI requests a device code from the Doover auth server
- A user code is displayed in your terminal
- Your browser opens to the Doover login page (or you navigate there manually)
- You enter the user code and authorise the CLI
- The CLI polls until authorisation completes, then saves your tokens
User Code: ABCD-EFGH Waiting for authorisation... ✓ Logged in successfully. Profile: default
Options
| Option | Description |
|---|---|
--staging | Log in to the staging environment instead of production |
--profile NAME | Save credentials under a named profile instead of default |
Staging Environment
To log in to the staging environment:
doover login --staging
This creates a profile named staging (unless --profile overrides it) and configures the auth server, Control API, and Data API URLs to point to the staging environment.
Profiles
Profiles store your authentication state so you do not need to log in every time. Each profile contains your access token, refresh token, agent ID, and API URLs.
Default Profile
When you run doover login without --profile, credentials are saved to the default profile. All commands use this profile unless you specify otherwise.
Creating Named Profiles
Create profiles for different environments or accounts:
# Production profile doover login --profile production # Staging profile doover login --staging --profile staging # Customer-specific profile doover login --profile acme-corp
Selecting a Profile
Use --profile on any command to select which credentials to use:
doover app list --profile production doover device list --profile staging
Profile Storage
Profiles are stored in ~/.doover/config in an INI-style format:
[profile=default] TOKEN=eyJhbGciOiJSUzI1NiIs... TOKEN_EXPIRES=1748880000.0 AGENT_ID=12345 BASE_URL=https://api.doover.com REFRESH_TOKEN=refresh_token_value BASE_DATA_URL=https://data.doover.com/api AUTH_SERVER_URL=https://auth.doover.com
Each profile block stores the fields needed to authenticate API requests and refresh expired tokens.
Token Refresh
Tokens are refreshed automatically. When a command runs, the CLI checks whether the current access token is about to expire (within 30 seconds) and uses the stored refresh token to obtain a new one. The updated token is saved back to the profile.
You do not need to re-run doover login unless your refresh token itself has expired or been revoked.
Environment Variables
The CLI reads profile configuration from ~/.doover/config. There are no environment variables for overriding credentials directly — use named profiles instead.
Relationship to pydoover Auth
The CLI uses the same ConfigManager and AuthProfile classes as pydoover's Python API. Profiles created by doover login can be used directly in Python code:
from pydoover.api import DataClient # Uses the same profile created by `doover login` client = DataClient(profile="default")
See pydoover Authentication for details on using profiles programmatically.
Related Pages
- Doover CLI Overview -- global options and command groups
- pydoover Authentication -- profile-based auth in Python code