# Authentication

## Interactive Login

For interactive usage, the CLI opens your browser to authenticate directly with your identity provider:

```bash
nullify auth login --host api.<TENANT>.nullify.ai
```

This will:

1. Open your browser to authenticate with your identity provider (GitHub, Azure, Okta, etc.)
2. Redirect back to the CLI automatically once authenticated
3. Store the credentials locally at `~/.nullify/credentials.json`

## Auth Commands

### Check login status

```bash
nullify auth status
```

### View current token

```bash
nullify auth token
```

### Switch between hosts

```bash
nullify auth switch --host api.<OTHER-TENANT>.nullify.ai
```

### Log out

```bash
nullify auth logout
```

### View configuration

```bash
nullify auth config
```

## CI/CD Usage

For non-interactive environments (CI/CD pipelines, scripts), use token-based authentication:

### Using a Nullify API Token

```bash
nullify --nullify-token <TOKEN> sast list-findings
```

Or set via environment variable:

```bash
export NULLIFY_TOKEN=<TOKEN>
nullify sast list-findings
```

### Using a GitHub Token

```bash
nullify --github-token <GITHUB_TOKEN> sast list-findings
```

Or set via environment variable:

```bash
export GITHUB_TOKEN=<GITHUB_TOKEN>
nullify sast list-findings
```

## Token Precedence

The CLI resolves authentication in this order:

1. `--nullify-token` flag
2. `NULLIFY_TOKEN` environment variable
3. `--github-token` flag (exchanged for Nullify token)
4. `GITHUB_TOKEN` environment variable (exchanged for Nullify token)
5. Stored credentials from `nullify auth login`

## Credential Storage

Credentials are stored at `~/.nullify/credentials.json` with file permissions `0600` (owner read/write only). The file contains:

* Access token
* Refresh token
* Token expiry time
* Host configuration

Tokens are automatically refreshed when they expire.