Skip to main content

Authentication

The CLI uses the OAuth device authorization flow (RFC 8628) — the same pattern used by the GitHub CLI. No passwords are entered in the terminal.

How the Device Flow Works

Direct API Key Login

If you already have an API key (e.g., for CI/CD or scripts), skip the browser flow: 
dm login --key dm_sk_live_xxxxx
This verifies the key against the API and saves it locally.

Logout

dm logout
Removes stored credentials from ~/.dealmachine/config.json.

Check Auth Status

dm whoami

Current authentication:

  Organization: My Company (my-company)
  Org ID:       1
  API Key:      dm_sk_live_VMgXKyJQ...
  Key ID:       key_abc123def456

Config file: /Users/you/.dealmachine/config.json
Use --verify to test your key against the server: 
dm whoami --verify

Credential Storage

Credentials are stored at: 
~/.dealmachine/config.json
The file has 0600 permissions (owner-only read/write) and contains: 
{
  "apiKey": "dm_sk_live_xxx",
  "keyId": "key_abc123",
  "organizationId": 1,
  "organizationName": "My Company",
  "organizationSlug": "my-company"
}
Never share your config.json file or commit it to version control. The API key provides full access to your organization’s data.

Revoking Access

To revoke a CLI key:
  1. Go to Developer Settings
  2. Find the key (named “CLI” or the device name)
  3. Click Revoke
After revoking, run dm logout to clean up local credentials, then dm login to re-authenticate.

Troubleshooting

Use the --no-browser flag and manually visit the URL:
dm login --no-browser
Device codes expire after 30 days. Run dm login again to get a fresh code.
Run dm logout first, then dm login again. Make sure you select the correct organization in the browser.
Your key may have been revoked. Run:
dm whoami --verify
If it fails, run dm logout && dm login to re-authenticate.