This command clears all the local tokens created by sfp auth login command
USAGE
$ sfp auth clear [--json] [-e <value> | -a] [-g <value>...] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
FLAGS
-a, --all Clear all users
-e, --email=<value> Email of the user
-g, --logsgroupsymbol=<value>... Symbol used by CICD platform to group/collapse logs in the console. Provide an
opening group, and an optional closing group symbol.
--loglevel=<option> [default: info] logging level for this command invocation
<options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>
GLOBAL FLAGS
--json Format output as json.
DESCRIPTION
This command clears all the local tokens created by sfp auth login command
EXAMPLES
$ sfp auth clear --email [email protected] $ sfp auth clear --all
Authenticate with the SFP server using various authentication strategies. This creates a JWT token stored securely in the keychain for subsequent commands.
USAGE
$ sfp auth display -e <value> [--json] [--jwt] [-g <value>...] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
FLAGS
-e, --email=<value> (required) Email of the user
-g, --logsgroupsymbol=<value>... Symbol used by CICD platform to group/collapse logs in the console. Provide an
opening group, and an optional closing group symbol.
--jwt Display JWT of the user
--loglevel=<option> [default: info] logging level for this command invocation
<options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>
GLOBAL FLAGS
--json Format output as json.
DESCRIPTION
Display authentication token information
EXAMPLES
$ sfp auth display --email [email protected] $ sfp auth display -e [email protected] --jwt
USAGE
$ sfp auth list [--json] [-g <value>...] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
FLAGS
-g, --logsgroupsymbol=<value>... Symbol used by CICD platform to group/collapse logs in the console. Provide an
opening group, and an optional closing group symbol.
--loglevel=<option> [default: info] logging level for this command invocation
<options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>
GLOBAL FLAGS
--json Format output as json.
DESCRIPTION
This command lists all auth tokens of users and its status stored locally
EXAMPLES
$ sfp auth list
$ sfp auth list --json
USAGE
$ sfp auth login [--json] [-e <value>] [--password <value> --admin] [--password-file <value> ]
[--sfp-server-url <value>] [-i] [--global-auth] [--sso-domain <value> --provider github|saml] [--sso-provider-id
<value> ] [-g <value>...] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
FLAGS
-e, --email=<value> Email of the user. Can be set as a default with `sfp set server-email <email>
--global`.
-g, --logsgroupsymbol=<value>... Symbol used by CICD platform to group/collapse logs in the console. Provide an
opening group, and an optional closing group symbol.
-i, --impersonate Use impersonate mode to impersonate an existing user in the system, Need secrets
such as SUPABASE_JWT_SECRET ,
SUPABASE_SERVICE_KEY and SUPABASE_URL of your sfp server instance.
--admin Log in as an admin user using username and password
--[no-]global-auth Use global authentication configuration instead of environment variables. When
enabled, environment variables will not override the global configuration.
--loglevel=<option> [default: info] logging level for this command invocation
<options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>
--password=<value> Admin password for non-interactive login (insecure, prefer password-file)
--password-file=<value> Path to file containing admin password
--provider=<option> [default: github] Authentication provider to use (github, saml)
<options: github|saml>
--sfp-server-url=<value> [default: http://localhost:3029, env: SFP_SERVER_URL] URL of the SFP server, You can
also set this using the `SFP_SERVER_URL` environment variable
--sso-domain=<value> SSO domain for SAML authentication (e.g., company.com)
--sso-provider-id=<value> SSO provider ID for SAML authentication
GLOBAL FLAGS
--json Format output as json.
DESCRIPTION
Authenticate with the SFP server using various authentication strategies. This creates a JWT token stored securely in
the keychain for subsequent commands.
Authentication methods:
- OAuth (default): Uses GitHub OAuth through Supabase for authentication
- SAML SSO: Enterprise single sign-on authentication via SAML providers
* Uses your SFP server's /sfp/api/config response for self-hosted auth settings
* Automatically disables --global-auth
* Use --sfp-server-url, or set server-url, to point to your self-hosted SFP instance
- Admin: Username/password authentication for admin users (--admin flag)
- Impersonate: Create tokens for existing users (requires SUPABASE_JWT_SECRET)
Self-hosted authentication is configured using:
- `sfp set server-url <url>` - Set the SFP server URL that publishes auth settings
- `sfp set server-email <email>` - Set the default user email for server authentication
- `sfp config:set auth-sso-domain <domain>` - Set SSO domain for SAML authentication
- `sfp config:set auth-sso-provider-id <id>` - Set SSO provider ID for SAML authentication
- Environment variables: SFP_SERVER_URL, SFP_SERVER_USER, AUTH_SSO_DOMAIN, AUTH_SSO_PROVIDER_ID
Advanced override only:
- `sfp config:set auth-supabase-url <url>` and `auth-supabase-anon-key <key>` can override the server-published auth
settings for non-standard deployments.
EXAMPLES
$ sfp auth login --email "[email protected]"
$ sfp auth login --email "[email protected]" --admin --password mypassword
$ sfp auth login --email "[email protected]" --admin --password-file ./password.txt
# SAML SSO authentication against a self-hosted SFP server
# Note: Global auth is automatically disabled for SAML authentication
$ sfp auth login --email "[email protected]" --provider saml --sfp-server-url https://sfp.company.com
$ sfp auth login --email "[email protected]" --provider saml --sso-domain company.com --sfp-server-url https://sfp.company.com
# Configure SAML SSO defaults
$ sfp set server-url https://sfp.company.com --global
$ sfp set server-email [email protected] --global
$ sfp config:set auth-sso-domain company.com
$ sfp auth login --provider saml
USAGE
$ sfp auth refresh [--json] [-e <value> | -a] [-g <value>...] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
FLAGS
-a, --all Refresh all stored tokens that have a refresh context
-e, --email=<value> Email address of the token to refresh
-g, --logsgroupsymbol=<value>... Symbol used by CICD platform to group/collapse logs in the console. Provide an
opening group, and an optional closing group symbol.
--loglevel=<option> [default: info] logging level for this command invocation
<options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>
GLOBAL FLAGS
--json Format output as json.
DESCRIPTION
Refreshes a stored authentication token using its refresh token. Useful in long running CI sessions or when a token is
approaching expiry.
EXAMPLES
$ sfp auth refresh --email [email protected] $ sfp auth refresh --all
$ sfp auth refresh --email [email protected] --json
