Skip to content

Configuration

The CLI keeps a single small JSON file holding your session. You normally never edit it - av login writes it, av logout clears it - but knowing where it lives helps when scripting, debugging, or wiping a machine.

The file is config.json inside an alertavuln folder under your operating system’s standard user config directory:

OS Path
Windows %AppData%\alertavuln\config.json (typically C:\Users\<you>\AppData\Roaming\alertavuln\config.json)
macOS ~/Library/Application Support/alertavuln/config.json
Linux $XDG_CONFIG_HOME/alertavuln/config.json (defaults to ~/.config/alertavuln/config.json)

The file does not exist until your first av login; until then the CLI runs with defaults and simply reports that you are not logged in when a command needs authentication.

config.json
{
"token": "<session token>",
"email": "[email protected]"
}
Field Written by Description
token av login, av org switch The session bearer token sent with every API call. av org switch replaces it with a token scoped to the new organisation.
email av login The signed-in email address, shown by av whoami.

Both fields are optional and omitted when empty. Older CLI versions also persisted an api_url field; the current CLI deliberately ignores any api_url left in the file (see below).

  1. av login starts a one-time listener on 127.0.0.1 with a random port and CSRF state, then opens your browser to the AlertaVuln sign-in page.
  2. You authenticate on the web (Microsoft/Entra, Google, or email) - no credentials are ever typed into the terminal.
  3. The browser hands the session token (and your email) back to the CLI over the localhost callback; the CLI verifies the state value, then saves config.json.
  4. The config directory is created with mode 0700 and the file written with mode 0600 on Unix-like systems, so only your user can read it.

The login flow times out after 3 minutes if the browser sign-in never completes.

The API base URL is resolved fresh on every invocation, in this order (highest wins):

  1. The --api-url flag
  2. The ALERTAVULN_API_URL environment variable
  3. The built-in default, https://alertavuln.com
Terminal window
# One-off invocation against a staging endpoint
av whoami --api-url https://staging.example.com
# Session-wide override via the environment
export ALERTAVULN_API_URL=https://staging.example.com
av whoami
Variable Effect
ALERTAVULN_API_URL Overrides the default API base URL. The --api-url flag takes precedence over it.
  • CLI reference - every command, global flags, and output conventions
  • av login - the browser sign-in flow that writes this file
  • Install the CLI - one-line installers and direct binary downloads