# Auth

Allows to authenticate to a sfp server

* [`sfp server auth clear`](#sfp-server-auth-clear)
* [`sfp server auth display`](#sfp-server-auth-display)
* [`sfp server auth list`](#sfp-server-auth-list)
* [`sfp server auth login`](#sfp-server-auth-login)

## `sfp server auth clear`

This command clears all the local tokens created by sfp server auth login command

```
USAGE
  $ sfp server auth clear [--json] [-e <value> | -a] [-g <value>...] [--loglevel
    trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

FLAGS
  -a, --all                         Clear all users
  -e, --email=<value>               Email of the user
  -g, --logsgroupsymbol=<value>...  Symbol used by CICD platform to group/collapse logs in the console. Provide an
                                    opening group, and an optional closing group symbol.
      --loglevel=<option>           [default: info] logging level for this command invocation
                                    <options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  This command clears all the local tokens created by sfp server auth login command

EXAMPLES
  $ sfp server auth clear --email user@example.com

  $ sfp server auth clear --all
```

*See code:* [*src/commands/server/auth/clear.ts*](https://source.flxbl.io/flxbl/sfp-pro)

## `sfp server auth display`

Display authentication token information

```
USAGE
  $ sfp server auth display -e <value> [--json] [--jwt] [-g <value>...] [--loglevel
    trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

FLAGS
  -e, --email=<value>               (required) Email of the user
  -g, --logsgroupsymbol=<value>...  Symbol used by CICD platform to group/collapse logs in the console. Provide an
                                    opening group, and an optional closing group symbol.
      --jwt                         Display JWT of the user
      --loglevel=<option>           [default: info] logging level for this command invocation
                                    <options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  Display authentication token information

EXAMPLES
  $ sfp server auth display --email user@example.com

  $ sfp server auth display -e user@example.com --jwt
```

*See code:* [*src/commands/server/auth/display.ts*](https://source.flxbl.io/flxbl/sfp-pro)

## `sfp server auth list`

This command lists all auth tokens of users and its status stored locally

```
USAGE
  $ sfp server auth list [--json] [-g <value>...] [--loglevel
    trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

FLAGS
  -g, --logsgroupsymbol=<value>...  Symbol used by CICD platform to group/collapse logs in the console. Provide an
                                    opening group, and an optional closing group symbol.
      --loglevel=<option>           [default: info] logging level for this command invocation
                                    <options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  This command lists all auth tokens of  users and its status stored locally

EXAMPLES
  $ sfp server auth list

  $ sfp server auth list --json
```

*See code:* [*src/commands/server/auth/list.ts*](https://source.flxbl.io/flxbl/sfp-pro)

## `sfp server auth login`

Authenticate with the SFP server using various authentication strategies. This creates a JWT token stored securely in the keychain for subsequent commands.

```
USAGE
  $ sfp server auth login -e <value> [--json] [--password <value> --admin] [--password-file <value> ] [--sfp-server-url
    <value>] [-i] [--global-auth] [--sso-domain <value> --provider github|saml] [--sso-provider-id <value> ] [-g
    <value>...] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

FLAGS
  -e, --email=<value>               (required) Email of the user
  -g, --logsgroupsymbol=<value>...  Symbol used by CICD platform to group/collapse logs in the console. Provide an
                                    opening group, and an optional closing group symbol.
  -i, --impersonate                 Use impersonate mode to impersonate an existing user in the system, Need secrets
                                    such as SUPABASE_JWT_SECRET ,
                                    SUPABASE_SERVICE_KEY and SUPABASE_URL of your sfp server instance.
      --admin                       Log in as an admin user using username and password
      --[no-]global-auth            Use global authentication configuration instead of environment variables. When
                                    enabled, environment variables will not override the global configuration.
      --loglevel=<option>           [default: info] logging level for this command invocation
                                    <options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>
      --password=<value>            Admin password for non-interactive login (insecure, prefer password-file)
      --password-file=<value>       Path to file containing admin password
      --provider=<option>           [default: github] Authentication provider to use (github, saml)
                                    <options: github|saml>
      --sfp-server-url=<value>      [default: http://localhost:3029, env: SFP_SERVER_URL] URL of the SFP server, You can
                                    also set this using the `SFP_SERVER_URL` environment variable
      --sso-domain=<value>          SSO domain for SAML authentication (e.g., company.com)
      --sso-provider-id=<value>     SSO provider ID for SAML authentication

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  Authenticate with the SFP server using various authentication strategies. This creates a JWT token stored securely in
  the keychain for subsequent commands.

  Authentication methods:
  - OAuth (default): Uses GitHub OAuth through Supabase for authentication
  - SAML SSO: Enterprise single sign-on authentication via SAML providers
  * Requires a custom Supabase instance with SAML enabled (Pro plan or higher)
  * Cannot be used with --global-auth flag
  * Must configure auth-supabase-url to point to your SAML-enabled instance
  - Admin: Username/password authentication for admin users (--admin flag)
  - Impersonate: Create tokens for existing users (requires SUPABASE_JWT_SECRET)

  Custom authentication endpoints can be configured using:
  - `sfp config:set auth-supabase-url <url>` - Override default Supabase URL
  - `sfp config:set auth-supabase-anon-key <key>` - Override default anonymous key
  - `sfp config:set auth-sso-domain <domain>` - Set SSO domain for SAML authentication
  - `sfp config:set auth-sso-provider-id <id>` - Set SSO provider ID for SAML authentication
  - Environment variables: SUPABASE_URL, SUPABASE_ANON_KEY, AUTH_SSO_DOMAIN, AUTH_SSO_PROVIDER_ID

EXAMPLES
  $ sfp server auth login --email "user@example.com"

  $ sfp server auth login --email "admin@example.com" --admin --password mypassword

  $ sfp server auth login --email "admin@example.com" --admin --password-file ./password.txt



  # SAML SSO authentication (requires custom Supabase instance with SAML enabled)

  # Note: Global auth is automatically disabled for SAML authentication

  $ sfp server auth login --email "user@company.com" --provider saml --sso-domain company.com

  $ sfp server auth login --email "user@company.com" --provider saml --sso-provider-id abc-123-def



  # Configure custom Supabase instance

  $ sfp config:set auth-supabase-url https://my-supabase.example.com

  $ sfp config:set auth-supabase-anon-key eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

  $ sfp server auth login --email "user@example.com"



  # Configure SAML SSO via config (must set custom Supabase URL first)

  $ sfp config:set auth-supabase-url https://your-supabase-instance.supabase.co

  $ sfp config:set auth-supabase-anon-key your-anon-key-here

  $ sfp config:set auth-sso-domain company.com

  $ sfp server auth login --email "user@company.com" --provider saml
```

*See code:* [*src/commands/server/auth/login.ts*](https://source.flxbl.io/flxbl/sfp-pro)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.flxbl.io/flxbl/sfp/cli-reference-v50-and-below/server/auth.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.