Configuration
The CLI keeps a single small JSON file holding your session. You normally
never edit it - av login writes it, av logout clears it - but knowing
where it lives helps when scripting, debugging, or wiping a machine.
Config file location
Section titled “Config file location”The file is config.json inside an alertavuln folder under your operating
system’s standard user config directory:
| OS | Path |
|---|---|
| Windows | %AppData%\alertavuln\config.json (typically C:\Users\<you>\AppData\Roaming\alertavuln\config.json) |
| macOS | ~/Library/Application Support/alertavuln/config.json |
| Linux | $XDG_CONFIG_HOME/alertavuln/config.json (defaults to ~/.config/alertavuln/config.json) |
The file does not exist until your first av login; until then the CLI runs
with defaults and simply reports that you are not logged in when a command
needs authentication.
Fields
Section titled “Fields”{ "token": "<session token>",}| Field | Written by | Description |
|---|---|---|
token |
av login, av org switch |
The session bearer token sent with every API call. av org switch replaces it with a token scoped to the new organisation. |
email |
av login |
The signed-in email address, shown by av whoami. |
Both fields are optional and omitted when empty. Older CLI versions also
persisted an api_url field; the current CLI deliberately ignores any
api_url left in the file (see below).
How login writes it
Section titled “How login writes it”av loginstarts a one-time listener on127.0.0.1with a random port and CSRF state, then opens your browser to the AlertaVuln sign-in page.- You authenticate on the web (Microsoft/Entra, Google, or email) - no credentials are ever typed into the terminal.
- The browser hands the session token (and your email) back to the CLI over
the localhost callback; the CLI verifies the state value, then saves
config.json. - The config directory is created with mode
0700and the file written with mode0600on Unix-like systems, so only your user can read it.
The login flow times out after 3 minutes if the browser sign-in never completes.
API endpoint resolution
Section titled “API endpoint resolution”The API base URL is resolved fresh on every invocation, in this order (highest wins):
- The
--api-urlflag - The
ALERTAVULN_API_URLenvironment variable - The built-in default,
https://alertavuln.com
# One-off invocation against a staging endpointav whoami --api-url https://staging.example.com
# Session-wide override via the environmentexport ALERTAVULN_API_URL=https://staging.example.comav whoamiEnvironment variables
Section titled “Environment variables”| Variable | Effect |
|---|---|
ALERTAVULN_API_URL |
Overrides the default API base URL. The --api-url flag takes precedence over it. |
See also
Section titled “See also”- CLI reference - every command, global flags, and output conventions
av login- the browser sign-in flow that writes this file- Install the CLI - one-line installers and direct binary downloads