# Auth

Authenticate with sfp server

* [`sfp auth clear`](#sfp-auth-clear)
* [`sfp auth display`](#sfp-auth-display)
* [`sfp auth list`](#sfp-auth-list)
* [`sfp auth login`](#sfp-auth-login)
* [`sfp auth refresh`](#sfp-auth-refresh)

## `sfp auth clear`

This command clears all the local tokens created by sfp auth login command

```
USAGE
  $ sfp auth clear [--json] [-e <value> | -a] [-g <value>...] [--loglevel
    trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

FLAGS
  -a, --all                         Clear all users
  -e, --email=<value>               Email of the user
  -g, --logsgroupsymbol=<value>...  Symbol used by CICD platform to group/collapse logs in the console. Provide an
                                    opening group, and an optional closing group symbol.
      --loglevel=<option>           [default: info] logging level for this command invocation
                                    <options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  This command clears all the local tokens created by sfp auth login command

EXAMPLES
  $ sfp auth clear --email user@example.com

  $ sfp auth clear --all
```

*See code:* [*src/commands/auth/clear.ts*](https://source.flxbl.io/flxbl/sfp-pro)

## `sfp auth display`

Display authentication token information

```
USAGE
  $ sfp auth display -e <value> [--json] [--jwt] [-g <value>...] [--loglevel
    trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

FLAGS
  -e, --email=<value>               (required) Email of the user
  -g, --logsgroupsymbol=<value>...  Symbol used by CICD platform to group/collapse logs in the console. Provide an
                                    opening group, and an optional closing group symbol.
      --jwt                         Display JWT of the user
      --loglevel=<option>           [default: info] logging level for this command invocation
                                    <options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  Display authentication token information

EXAMPLES
  $ sfp auth display --email user@example.com

  $ sfp auth display -e user@example.com --jwt
```

*See code:* [*src/commands/auth/display.ts*](https://source.flxbl.io/flxbl/sfp-pro)

## `sfp auth list`

This command lists all auth tokens of users and its status stored locally

```
USAGE
  $ sfp auth list [--json] [-g <value>...] [--loglevel
    trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

FLAGS
  -g, --logsgroupsymbol=<value>...  Symbol used by CICD platform to group/collapse logs in the console. Provide an
                                    opening group, and an optional closing group symbol.
      --loglevel=<option>           [default: info] logging level for this command invocation
                                    <options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  This command lists all auth tokens of  users and its status stored locally

EXAMPLES
  $ sfp auth list

  $ sfp auth list --json
```

*See code:* [*src/commands/auth/list.ts*](https://source.flxbl.io/flxbl/sfp-pro)

## `sfp auth login`

Authenticate with the SFP server using various authentication strategies. This creates a JWT token stored securely in the keychain for subsequent commands.

```
USAGE
  $ sfp auth login [--json] [-e <value>] [--password <value> --admin] [--password-file <value> ]
    [--sfp-server-url <value>] [-i] [--global-auth] [--sso-domain <value> --provider github|saml] [--sso-provider-id
    <value> ] [-g <value>...] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

FLAGS
  -e, --email=<value>               Email of the user. Can be set as a default with `sfp set server-email <email>
                                    --global`.
  -g, --logsgroupsymbol=<value>...  Symbol used by CICD platform to group/collapse logs in the console. Provide an
                                    opening group, and an optional closing group symbol.
  -i, --impersonate                 Use impersonate mode to impersonate an existing user in the system, Need secrets
                                    such as SUPABASE_JWT_SECRET ,
                                    SUPABASE_SERVICE_KEY and SUPABASE_URL of your sfp server instance.
      --admin                       Log in as an admin user using username and password
      --[no-]global-auth            Use global authentication configuration instead of environment variables. When
                                    enabled, environment variables will not override the global configuration.
      --loglevel=<option>           [default: info] logging level for this command invocation
                                    <options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>
      --password=<value>            Admin password for non-interactive login (insecure, prefer password-file)
      --password-file=<value>       Path to file containing admin password
      --provider=<option>           [default: github] Authentication provider to use (github, saml)
                                    <options: github|saml>
      --sfp-server-url=<value>      [default: http://localhost:3029, env: SFP_SERVER_URL] URL of the SFP server, You can
                                    also set this using the `SFP_SERVER_URL` environment variable
      --sso-domain=<value>          SSO domain for SAML authentication (e.g., company.com)
      --sso-provider-id=<value>     SSO provider ID for SAML authentication

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  Authenticate with the SFP server using various authentication strategies. This creates a JWT token stored securely in
  the keychain for subsequent commands.

  Authentication methods:
  - OAuth (default): Uses GitHub OAuth through Supabase for authentication
  - SAML SSO: Enterprise single sign-on authentication via SAML providers
  * Uses your SFP server's /sfp/api/config response for self-hosted auth settings
  * Automatically disables --global-auth
  * Use --sfp-server-url, or set server-url, to point to your self-hosted SFP instance
  - Admin: Username/password authentication for admin users (--admin flag)
  - Impersonate: Create tokens for existing users (requires SUPABASE_JWT_SECRET)

  Self-hosted authentication is configured using:
  - `sfp set server-url <url>` - Set the SFP server URL that publishes auth settings
  - `sfp set server-email <email>` - Set the default user email for server authentication
  - `sfp config:set auth-sso-domain <domain>` - Set SSO domain for SAML authentication
  - `sfp config:set auth-sso-provider-id <id>` - Set SSO provider ID for SAML authentication
  - Environment variables: SFP_SERVER_URL, SFP_SERVER_USER, AUTH_SSO_DOMAIN, AUTH_SSO_PROVIDER_ID

  Advanced override only:
  - `sfp config:set auth-supabase-url <url>` and `auth-supabase-anon-key <key>` can override the server-published auth
  settings for non-standard deployments.

EXAMPLES
  $ sfp auth login --email "user@example.com"

  $ sfp auth login --email "admin@example.com" --admin --password mypassword

  $ sfp auth login --email "admin@example.com" --admin --password-file ./password.txt



  # SAML SSO authentication against a self-hosted SFP server

  # Note: Global auth is automatically disabled for SAML authentication

  $ sfp auth login --email "user@company.com" --provider saml --sfp-server-url https://sfp.company.com

  $ sfp auth login --email "user@company.com" --provider saml --sso-domain company.com --sfp-server-url https://sfp.company.com



  # Configure SAML SSO defaults

  $ sfp set server-url https://sfp.company.com --global

  $ sfp set server-email user@company.com --global

  $ sfp config:set auth-sso-domain company.com

  $ sfp auth login --provider saml
```

*See code:* [*src/commands/auth/login.ts*](https://source.flxbl.io/flxbl/sfp-pro)

## `sfp auth refresh`

Refreshes a stored authentication token using its refresh token. Useful in long running CI sessions or when a token is approaching expiry.

```
USAGE
  $ sfp auth refresh [--json] [-e <value> | -a] [-g <value>...] [--loglevel
    trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

FLAGS
  -a, --all                         Refresh all stored tokens that have a refresh context
  -e, --email=<value>               Email address of the token to refresh
  -g, --logsgroupsymbol=<value>...  Symbol used by CICD platform to group/collapse logs in the console. Provide an
                                    opening group, and an optional closing group symbol.
      --loglevel=<option>           [default: info] logging level for this command invocation
                                    <options: trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL>

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  Refreshes a stored authentication token using its refresh token. Useful in long running CI sessions or when a token is
  approaching expiry.

EXAMPLES
  $ sfp auth refresh --email user@example.com

  $ sfp auth refresh --all

  $ sfp auth refresh --email user@example.com --json
```

*See code:* [*src/commands/auth/refresh.ts*](https://source.flxbl.io/flxbl/sfp-pro)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.flxbl.io/flxbl/sfp/sfp-community/cli-reference-v51-release-v3/advanced/auth.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.