Skip to main content
The CLI keeps per-host credentials in ~/.config/breadbox/hosts.toml. Each entry has a name, a base URL, and an API key. You add hosts with breadbox auth login, switch with --host <name> or the BREADBOX_HOST env var, and drop credentials with breadbox auth logout. The CLI talks to the unauthenticated device-code endpoints under the hood — the long-lived bb_ key is never copied across an untrusted channel.

Three ways to add a host

Switching hosts

--host accepts either a configured name (production) or a bare URL (https://breadbox.example.com). With a bare URL, the CLI falls back to BREADBOX_TOKEN from the environment, since there’s no hosts.toml entry to read from.

Checking what you’re authenticated as

whoami calls GET /api/v1/keys/me and prints the actor type (user / agent / system), the actor name, the host, and the key scope.

Environment variable overrides

VariablePurpose
BREADBOX_HOSTDefault host name or base URL for every command. Overrides auth use.
BREADBOX_TOKENAPI key to use when BREADBOX_HOST is a bare URL (no hosts.toml entry).
These overrides matter most in CI and container environments where you don’t want to bake credentials into hosts.toml.

Logging out

Logout deletes the entry from hosts.toml. It does not revoke the key on the server — if you need to invalidate the credential too, run breadbox keys revoke <id> against a host that still has access, or revoke from the admin dashboard.

File layout

hosts.toml is plaintext. Protect it with chmod 600 (the CLI does this automatically on first write) and treat it as a secret. On macOS the file lives at ~/Library/Application Support/breadbox/hosts.toml only when XDG_CONFIG_HOME is unset — the CLI follows the XDG base directory spec.

Next steps

Output formats

JSON, NDJSON, field selection, exit codes.

Headless deployment

Patterns for agent and CI environments.
Last modified on June 25, 2026