Skip to main content

Two paths

The CLI accepts two kinds of credentials:
PathBest forHow
Device-flow OAuthHumans at a terminal. Tokens auto-refresh; no manual rotation.ekso auth login --tenant <subdomain>
API keyCI, agents, scripts, anything headless. Static; rotate on a policy.--api-key <key> flag or EKSO_API_KEY env var
Both produce the same authenticated session against your tenant. The backend stamps each request with a Client marker (Cli for device-flow tokens, Sdk for API keys) to gate operations that should not be scriptable — see CLI/SDK marker.

Device-flow login

Run: 
ekso auth login --tenant acme
The CLI prints a short code and a verification URL, opens your browser to that URL, and polls in the background. Approve the request in the browser and the CLI captures an access + refresh token pair. They’re stored in the per-tenant credential store so subsequent ekso ... calls skip the login step. 
$ ekso auth login --tenant acme
Visit https://acme.ekso.app/auth/device and enter code: ABCD-1234
Waiting for approval...
 Signed in to tenant 'acme' as [email protected]
Tokens auto-refresh on every request — when the access token nears expiry, the SDK exchanges the refresh token for a new pair and rewrites the credential store transparently. You should not need to re-run auth login until the refresh token itself expires (~7 days of inactivity).

API-key auth

API keys live in the admin surface — mint one with ekso api-key create --name "ci-deploy". The response contains the raw key exactly once (ek_...); store it immediately. Pass it on every call via --api-key: 
ekso item list --tenant acme --api-key ek_live_xxx
Or — typically cleaner — set the env var: 
export EKSO_TENANT=acme
export EKSO_API_KEY=ek_live_xxx
ekso item list
Keys carry the permissions of the user who minted them. Revoke with ekso api-key delete <id> (the key stops working immediately).

Precedence

When both are present, --api-key (or EKSO_API_KEY) wins. Stored device-flow tokens are ignored. This makes CI overrides simple — set EKSO_API_KEY in the runner and the same ekso ... invocations a developer uses locally now run headless. The full resolution order, highest priority first:
  1. --api-key <KEY> flag
  2. EKSO_API_KEY environment variable
  3. Stored device-flow credentials for --tenant/EKSO_TENANT
  4. Otherwise — exit code 3 (auth error) with a “run ekso auth login” hint.

Logging out

ekso auth logout --tenant acme
Clears stored tokens for that tenant. The credential store is per-tenant, so logging out of acme doesn’t affect other tenants you may also have signed into.

Local development

If you’re running the backend locally (e.g. on https://localhost:7070), point the CLI at it with --base-url: 
export EKSO_TENANT=devinc
export EKSO_BASE_URL=https://devinc.localhost:7070
ekso auth login
The base URL override is per-call (or per-shell via EKSO_BASE_URL). Stored credentials are scoped to the tenant + base URL pair, so dev and prod creds don’t collide.