Skip to content

feat(auth): add 'auth token' command to securely output access token#635

Merged
evoxmusic merged 2 commits into
mainfrom
feat/auth-token-command
May 7, 2026
Merged

feat(auth): add 'auth token' command to securely output access token#635
evoxmusic merged 2 commits into
mainfrom
feat/auth-token-command

Conversation

@evoxmusic
Copy link
Copy Markdown
Contributor

@evoxmusic evoxmusic commented May 7, 2026

Summary

  • Adds qovery auth token subcommand that outputs a valid, auto-refreshed access token for use by external tools (e.g. Qovery AI Skill) that need to make direct Qovery API calls
  • Eliminates the need for external tools to read ~/.qovery/context.json directly to extract the JWT token
  • Supports three output modes: raw token value (default), --authorization-header for the full header, and --json for structured output including expiration and API URL

Motivation

The Qovery AI Skill increasingly needs to interact with the Qovery API directly for operations not yet available in the CLI. Currently, it reads the JWT from ~/.qovery/context.json, which:

  • Couples external tools to the CLI's internal file format
  • Bypasses token validation and refresh logic (if the token is expired, the AI skill has no way to refresh it)

This command provides a clean, programmatic interface that handles token refresh automatically.

Usage

# Get the raw token value (default - pipe-friendly)
TOKEN=$(qovery auth token)

# Use directly in curl
curl -H "Authorization: Bearer $(qovery auth token)" https://api.qovery.com/organization

# Get the full Authorization header value
qovery auth token --authorization-header

# Get structured JSON output
qovery auth token --json
# {
#   "access_token": "eyJ...",
#   "token_type": "Bearer",
#   "expires_at": "2026-05-08T12:00:00Z",
#   "api_url": "https://api.qovery.com"
# }

# JSON with authorization header pre-formatted
qovery auth token --json --authorization-header
# {
#   "authorization_header": "Bearer eyJ...",
#   "expires_at": "2026-05-08T12:00:00Z",
#   "api_url": "https://api.qovery.com"
# }

Security

  • Only the short-lived access token is exposed, never the refresh token
  • Token is validated before output (via GetAccessToken() which calls the API)
  • Errors go to stderr, stdout contains only the token — safe for $() substitution
  • ~/.qovery/context.json permissions remain 0600

Files Changed

File Change
cmd/auth_token.go New — command implementation

No existing code was modified. The existing qovery auth command continues to work unchanged.

@evoxmusic
feat(auth): add 'auth token' command to securely output access token
3afda92 
Add a new 'qovery auth token' subcommand that prints a valid access token
for use by external tools (e.g. Qovery AI Skill) that need to make direct
API calls. The token is automatically refreshed if expired.

Supports three output modes:
- Default: raw token value only (pipe-friendly for shell substitution)
- --authorization-header: full 'Bearer <token>' header value
- --json: structured JSON with token, type, expiration, and API URL
@evoxmusic
refactor(auth token): require --print flag to output token value
63e5f3a 
For security, 'qovery auth token' no longer prints the token by default.
Running without --print or --json now shows help text with available flags.
This prevents accidental token leakage during screen sharing or in recorded
terminal sessions.
@evoxmusic evoxmusic merged commit 00088cc into main May 7, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benjaminch benjaminch benjaminch approved these changes

@fabienfleureau fabienfleureau fabienfleureau approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@evoxmusic @benjaminch @fabienfleureau