| OAuth | API key | |
|---|---|---|
| Best for | Individual users who want quick, secure setup | Admins managing keys centrally, or automated workflows (CI/CD) |
| Setup complexity | Low - browser flow | Medium - manual configuration |
| Key management | Automatic | Manual |
| Token expiry | 8 hours (auto-refreshes) | None |
| User permissions | Uses your permissions | Uses key creator’s permissions |
OAuth authentication
OAuth lets the CLI connect to Omni without requiring you to manually create and manage API keys. When you authenticate withomni config login, Omni creates an API key on your behalf and links it to your user account.
CLI OAuth PATs are different from standard PATs. See the CLI OAuth PATs section for more information.
Requirements
To use OAuth authentication with the CLI, your organization must have:- Personal access tokens (PATs) enabled - Organization Admins can activate them by going to Settings > API access > Personal tokens
How it works
When you authenticate the CLI using OAuth, the flow looks like this:- Run
omni config loginin your terminal. - Your browser opens to an authorization page for your Omni organization.
- Review the permissions on the authorization page.
- Click Authorize.
- The CLI receives the tokens and stores them securely.
CLI OAuth PATs
When you authenticate withomni config login, Omni automatically creates a special PAT called a CLI OAuth PAT. These differ from standard PATs in a few ways:
1
Any user can create one
Standard PATs require Restricted Querier or higher permissions, but CLI OAuth PATs are created automatically for any user who completes the OAuth flow.
2
Access tokens expire after 8 hours
For security, CLI access tokens expire after 8 hours. The CLI automatically refreshes tokens using refresh token rotation, so you don’t need to worry about expiration during normal usage.
3
Refresh tokens rotate on each use
When the CLI refreshes your access token, it receives a new refresh token and the old one is invalidated. This prevents replay attacks.
4
Permissions reflect the user's in-app permissions
CLI OAuth PATs inherit the creating user’s in-app permissions.
Authenticating with OAuth
To authenticate the CLI with OAuth:API key authentication
API key authentication gives you direct control over key creation and management. This approach is useful when:- You need to manage API keys centrally for your organization
- You’re setting up automated workflows or CI/CD pipelines
- You want to use a service account rather than individual user credentials
- You prefer tokens that don’t expire
How it works
- Create an API key in Omni
- Set the API key as an environment variable or configure it during
omni config init - The CLI includes the key in all requests to Omni
Authenticating with an API key
You can provide your API key in two ways: Option 1: Environment variableTroubleshooting
OAuth issues
Personal Access Tokens aren't enabled (403 error)
Personal Access Tokens aren't enabled (403 error)
Ask an admin to enable PATs: Settings > API access > Personal tokens
Authorization flow doesn't start
Authorization flow doesn't start
Authorization fails after clicking "Authorize"
Authorization fails after clicking "Authorize"
Token expired errors after 8 hours
Token expired errors after 8 hours
The CLI automatically refreshes tokens. If you see this error:
- Run
omni config loginagain to re-authenticate - Check that your refresh token hasn’t been revoked in Omni settings
API key issues
Authentication fails
Authentication fails
- Verify the API key is correct and hasn’t been revoked
- Check that the key has appropriate permissions
- Ensure you’re using the correct instance URL
- Try setting
OMNI_API_TOKENdirectly in your environment
General issues
Commands fail after successful authentication
Commands fail after successful authentication
- Confirm the API key is active in your Omni settings
- Verify you have access to the resources you’re trying to access
- Check that your Omni user permissions allow the operation