Skip to content

Authentication

The CLI authenticates through your browser: you sign in on the AlertaVuln web app, and a session token is handed back to the CLI over a one-time localhost callback. No credentials are ever typed into the terminal.

Terminal window
av login
  1. The CLI starts a one-time HTTP listener on a random 127.0.0.1 port and generates a random state value to protect the callback against CSRF.

  2. Your browser opens at the AlertaVuln sign-in page, carrying the callback port and state. If the browser can’t be opened automatically, the URL is printed so you can visit it by hand.

  3. You authenticate on the web - Entra/Microsoft, Google, or email.

  4. The browser hands the session token back to the CLI over the localhost callback. The CLI verifies the state value, saves the token, and prints Logged in as <email>.

av login waits up to three minutes for the browser sign-in to complete (Ctrl-C to abort), then times out.

Check your session at any time:

Terminal window
av whoami

av whoami prints the signed-in email and the API URL the CLI resolved for this invocation. av logout clears the stored token and email.

The token is cached in config.json under your platform’s user config directory:

Platform Path
Linux $XDG_CONFIG_HOME/alertavuln/config.json (defaults to ~/.config/alertavuln/config.json)
macOS ~/Library/Application Support/alertavuln/config.json
Windows %AppData%\alertavuln\config.json

The file stores only the token and your email, and is written with owner-only permissions (0600, directory 0700) on Unix-like systems.

Commands that talk to the API require a token and fail with not logged in - run 'alertavuln login' first when none is stored. The one notable exception: a local av sast scan runs without any login, as long as you don’t upload results with --project.

Every invocation resolves the API base URL fresh, in this order:

Precedence Source Scope
1 --api-url flag this invocation only
2 ALERTAVULN_API_URL environment variable current shell / CI job
3 Default: https://alertavuln.com -

--api-url is a global flag, available on every command:

Terminal window
av --api-url https://your-instance.example.com login