Authentication Commands

The teactl auth commands manage authentication with the Teabar API. Teabar uses OIDC (OpenID Connect) for all authentication - there are no username/password credentials or API tokens.

teactl auth login

Authenticate with Teabar using OIDC device flow.

teactl auth login [flags]

Flags

Flag	Description
`--no-browser`	Don’t open browser automatically
`--context <name>`	Store credentials in named context

Examples

# Interactive login (opens browser)
teactl auth login

# Manual flow (for headless systems)
teactl auth login --no-browser

# Login to a different context
teactl auth login --context work

Interactive flow:

$ teactl auth login
Opening browser to authenticate...

If browser doesn't open, visit:
  https://auth.bcp.technology/realms/teabar/device

Enter code: ABCD-1234

Waiting for authorization... ⠋

✓ Authenticated as [email protected]
  Organization: my-company
  Role: Admin
  Token expires: 2026-02-17 10:30:00

Credentials stored in system keychain.

Headless flow:

$ teactl auth login --no-browser
To authenticate, open this URL in a browser:
  https://auth.bcp.technology/realms/teabar/device

Enter the code: ABCD-1234

Waiting for authorization...

✓ Authenticated as [email protected]

teactl auth logout

Clear stored credentials.

teactl auth logout [flags]

Flags

Flag	Description
`--all`	Clear all stored sessions/contexts

Examples

# Logout current session
teactl auth logout

# Clear all credentials
teactl auth logout --all

teactl auth status

Show current authentication status.

teactl auth status [flags]

Examples

$ teactl auth status
Authentication: ✓ Valid
User: [email protected]
Provider: github (via Keycloak)
Organization: my-company
Role: Admin
Token expires: 2026-02-17 10:30:00 (in 7 days)
Credential storage: macOS Keychain

If not authenticated:

$ teactl auth status
Authentication: ✗ Not authenticated

Run 'teactl auth login' to authenticate.

teactl auth whoami

Display current user information.

teactl auth whoami [flags]

Flags

Flag	Description
`--output <format>`	Output format (table, json, yaml)

Examples

$ teactl auth whoami
Email: [email protected]
Name: John Doe
Provider: github (via Keycloak)

Organizations:
  my-company (Admin)
  acme-corp (Member)

Current Context:
  Organization: my-company
  Project: default

teactl auth test

Test authentication and connectivity.

teactl auth test [flags]

Examples

$ teactl auth test
✓ OIDC provider reachable
✓ Token valid
✓ API connectivity OK
✓ Organization access confirmed

All checks passed.

CI/CD Authentication

For CI/CD pipelines, use Keycloak service accounts instead of interactive login. Service accounts are managed in Keycloak, not in Teabar.

Setting Up a Service Account

Contact your Keycloak administrator
Request a service account with appropriate roles
Obtain the service account credentials (client ID + secret)
Generate an access token using client credentials flow

Using Service Accounts in Pipelines

Set the TEABAR_TOKEN environment variable with a Keycloak access token:

# Get token from Keycloak (example using curl)
TOKEN=$(curl -s -X POST 
  "https://auth.bcp.technology/realms/teabar/protocol/openid-connect/token" 
  -d "client_id=my-service-account" 
  -d "client_secret=$CLIENT_SECRET" 
  -d "grant_type=client_credentials" | jq -r '.access_token')

export TEABAR_TOKEN="$TOKEN"
teactl env create --blueprint test-environment --name ci-test

GitHub Actions

name: Deploy Environment

on:
  pull_request:
    types: [opened, synchronize]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install teactl
        run: curl -fsSL https://teabar.dev/install.sh | sh
      
      - name: Get Keycloak Token
        id: auth
        run: |
          TOKEN=$(curl -s -X POST 
            "${{ vars.KEYCLOAK_URL }}/protocol/openid-connect/token" 
            -d "client_id=${{ vars.KEYCLOAK_CLIENT_ID }}" 
            -d "client_secret=${{ secrets.KEYCLOAK_CLIENT_SECRET }}" 
            -d "grant_type=client_credentials" | jq -r '.access_token')
          echo "token=$TOKEN" >> $GITHUB_OUTPUT
      
      - name: Create test environment
        env:
          TEABAR_TOKEN: ${{ steps.auth.outputs.token }}
          TEABAR_ORG: my-company
        run: |
          teactl env create 
            --blueprint test-environment 
            --name "pr-${{ github.event.number }}" 
            --wait
      
      - name: Run tests
        run: ./run-tests.sh
      
      - name: Cleanup
        if: always()
        env:
          TEABAR_TOKEN: ${{ steps.auth.outputs.token }}
        run: teactl env delete "pr-${{ github.event.number }}" --yes

GitLab CI

variables:
  KEYCLOAK_URL: "https://auth.bcp.technology/realms/teabar"

stages:
  - deploy
  - test
  - cleanup

.get_token: &get_token
  - |
    export TEABAR_TOKEN=$(curl -s -X POST 
      "${KEYCLOAK_URL}/protocol/openid-connect/token" 
      -d "client_id=${KEYCLOAK_CLIENT_ID}" 
      -d "client_secret=${KEYCLOAK_CLIENT_SECRET}" 
      -d "grant_type=client_credentials" | jq -r '.access_token')

deploy:
  stage: deploy
  image: teabar/teactl:latest
  script:
    - *get_token
    - teactl env create
        --blueprint test-environment
        --name "mr-${CI_MERGE_REQUEST_IID}"
        --wait
  environment:
    name: review/${CI_MERGE_REQUEST_IID}
    on_stop: cleanup

test:
  stage: test
  script:
    - ./run-tests.sh

cleanup:
  stage: cleanup
  image: teabar/teactl:latest
  script:
    - *get_token
    - teactl env delete "mr-${CI_MERGE_REQUEST_IID}" --yes
  when: manual
  environment:
    name: review/${CI_MERGE_REQUEST_IID}
    action: stop

Note

Service accounts are managed in Keycloak. Contact your Keycloak administrator to create service accounts with appropriate roles for your CI/CD pipelines.

Credential Storage

teactl stores credentials securely using the system keychain:

Platform	Storage
macOS	Keychain
Linux	libsecret/Secret Service
Windows	Credential Manager

If no keychain is available, credentials are stored in an encrypted file at ~/.teactl/credentials.enc.

Storage Priority

Environment variable: TEABAR_TOKEN (for CI/CD)
System keychain (for interactive use)
Encrypted file fallback

Troubleshooting

Token expired

$ teactl env list
Error: authentication token expired

Run 'teactl auth login' to re-authenticate.

Tokens are automatically refreshed, but if your refresh token has also expired, you’ll need to login again.

OIDC provider unreachable

$ teactl auth login
Error: failed to connect to OIDC provider

Check your network connection and try again.

Test connectivity:

teactl auth test

Permission denied

$ teactl org delete my-company
Error: permission denied

Your role (Member) does not have permission for this action.
Contact an organization Admin for assistance.

Check your current role:

teactl auth whoami

Related Commands

config - Manage CLI configuration
org - Organization management
env - Environment commands