A command-line interface for the Authalla OAuth2 & OpenID Connect platform. Manage tenants, users, OAuth2 clients, branding, custom domains, and more — all from your terminal.
This CLI is designed to be agent-optimized — every command outputs structured JSON with built-in schema subcommands that describe expected inputs. While it works great on its own, the recommended way to use it is through the Authalla agent skill, which lets AI coding agents like Claude Code manage your Authalla resources conversationally.
brew install authalla/tap/authallaRequires Rust 1.70+.
cargo install --git https://github.com/authalla/authalla-cliDownload the latest release for your platform from GitHub Releases.
Authenticate with your Authalla account via your browser:
authalla loginThis opens your browser for OAuth2 authentication. After logging in, the CLI stores your tokens securely in ~/.config/authalla/config.json (with 0600 file permissions).
If you have access to multiple accounts, the CLI will prompt you to select one.
authalla config showauthalla tenant list
authalla user list
authalla client list# List your accounts
authalla accounts list
# Switch to a different account
authalla accounts select <account-id>
# Switch to a different tenant within the current account
authalla tenant select <tenant-id>For non-interactive environments, configure machine-to-machine credentials instead:
authalla config set \
--api-url https://your-tenant.authalla.com \
--client-id your_client_id \
--client-secret your_client_secret| Command | Description |
|---|---|
login |
Authenticate via browser (OAuth2 + PKCE) |
logout |
Clear stored authentication tokens |
accounts |
List and switch between accounts |
config |
Configure M2M API credentials, show current config |
tenant |
Manage tenants, switch active tenant |
user |
Manage users |
client |
Manage OAuth2 clients |
theme |
Manage login page branding |
custom-domain |
Manage custom domains |
custom-email |
Manage custom email sender domains |
social-login |
Manage social login providers |
well-known |
Fetch OpenID Connect discovery and JWKS endpoints |
Most resource commands follow a consistent pattern:
authalla <resource> list [--limit N] [--offset N]
authalla <resource> get --id <id>
authalla <resource> create --json '<json>'
authalla <resource> update --id <id> --json '<json>'
authalla <resource> delete --id <id>
authalla <resource> schema <create|update>The schema subcommand prints the JSON schema for create or update payloads, so you can see exactly which fields are required and what values are accepted.
# List all tenants
authalla tenant list
# Create a tenant
authalla tenant create --json '{"name": "Production", "allow_registration": true}'
# Update a tenant with specific auth methods
authalla tenant update --id tenant_abc123 \
--json '{"name": "Production", "allow_registration": true, "auth_methods": ["magic_link", "passkeys", "social_logins"]}'
# Switch active tenant
authalla tenant select tenant_abc123
# Delete a tenant
authalla tenant delete --id tenant_abc123# List users with search
authalla user list --search "jane@example.com"
# Create a user
authalla user create --json '{"email": "jane@example.com", "name": "Jane Doe"}'
# Suspend a user
authalla user update --id user_abc123 --json '{"status": "suspended"}'# Create a web application client
authalla client create --json '{
"name": "My Web App",
"tenant_id": "tenant_abc123",
"application_type": "web",
"redirect_uris": ["https://app.example.com/callback"]
}'
# Create a machine-to-machine backend client
authalla client create --json '{
"name": "Backend Service",
"tenant_id": "tenant_abc123",
"application_type": "backend"
}'
# View the create schema for full field reference
authalla client schema createApplication types:
spa— Public client for single-page applicationsnative— Public client for mobile/desktop appsweb— Confidential client for server-rendered web appsbackend— Confidential client for machine-to-machine (client credentials)
Note: The client secret is only returned once on creation for confidential clients (
webandbackend).
Customize the look of your login pages:
# View current theme
authalla theme get
# Update brand colors (hex format)
authalla theme update --json '{
"primary_color": "#9333ea",
"background_color": "#ffffff",
"dark": {
"primary_color": "#a855f7",
"background_color": "#0f172a"
}
}'Serve your login pages from your own domain:
# Add a custom domain
authalla custom-domain create --json '{
"tenant_id": "tenant_abc123",
"domain": "auth.example.com"
}'
# After configuring the DNS records returned by create, verify them
authalla custom-domain verify --id domain_abc123Send authentication emails from your own domain:
# Add a custom email domain
authalla custom-email create --json '{
"tenant_id": "tenant_abc123",
"email_domain": "mail.example.com"
}'
# After configuring DNS records, verify them
authalla custom-email verify --id email_abc123# List configured providers
authalla social-login list
# Add Google as a social login provider
authalla social-login create --json '{
"name": "Google Login",
"provider_type": "google",
"client_id": "xxx.apps.googleusercontent.com",
"client_secret": "GOCSPX-xxx",
"tenant_ids": ["tenant_abc123"]
}'Supported providers: google, github, apple, microsoft
Fetch public OpenID Connect discovery metadata:
# Fetch the OpenID Connect discovery document
authalla well-known openid-configuration
# Fetch the JSON Web Key Set (JWKS)
authalla well-known jwksThese commands do not require authentication — they only need a configured session or M2M credentials.
All commands output JSON to stdout, making it easy to pipe into tools like jq:
# Get the issuer from the OpenID configuration
authalla well-known openid-configuration | jq '.issuer'
# List all user emails
authalla user list | jq '.users[].email'