Skip to main content
Commands

vg login

Sign the CLI into your Vibgrate workspace from the browser — no DSN to copy or paste.

Overview

vg login connects the CLI to your Vibgrate workspace using a browser approval flow (an OAuth 2.0 Device Authorization Grant). It's the easiest way for an individual developer to authenticate: run one command, approve in the browser, and the CLI is bound to your workspace — no secret to copy or paste.

Quick Start: Run vg login, approve the request in your browser, then run vg scan --push.


Usage

vg login [options]

Options

FlagDescription
--region <region>Data residency region (default us).
--ingest <url>Custom ingest API host (overrides --region).
--no-browserDon't try to open a browser; just print the URL and code.
--localStore the credential in this project (.vibgrate/credentials.json) instead of your home directory.

How it works

  1. You run vg login. The CLI prints a short code (e.g. ABCD-2345) and a verification URL, and tries to open your browser.
  2. In the browser you sign in — or create a free account if you're new — then pick a workspace (or create your first one) and approve the request.
  3. The platform mints a workspace-scoped DSN and the CLI stores it locally at ~/.vibgrate/credentials.json.
  4. Subsequent vg scan --push / vg push runs are authenticated automatically.

Multi-region: pass --region eu (or --region apac) to log in against a specific data-residency region; the minted DSN points at that region's ingest host.


Where the credential is stored

By default the credential is written to ~/.vibgrate/credentials.json in your home directory — one login per machine, shared across every project, the usual convention for CLI tools.

Pass --local to store it inside the current project instead, at <project>/.vibgrate/credentials.json (anchored at the repo root, so it is still found when you run commands from a subdirectory). Use this when different projects should bind to different workspaces. When the credential lands inside a git repo, vg login adds .vibgrate/credentials.json to .gitignore for you so the secret is never committed. Once a project-local credential exists, later vg scan --push / vg push runs in that project pick it up automatically — you don't need to pass --local again.

To point the CLI at a specific file (for example in CI), set the VIBGRATE_CREDENTIALS environment variable to that path; it overrides both the home and project-local stores.


Credential precedence

When pushing, the CLI resolves credentials in this order:

  1. an explicit --dsn flag,
  2. the VIBGRATE_DSN environment variable (use this in CI),
  3. the credential saved by vg login.

So login is for interactive laptops; CI and the scheduled AMI scanner should keep using a DSN in VIBGRATE_DSN (see vg dsn create).


Logging out

vg logout

Removes the stored credential from ~/.vibgrate/credentials.json.


Security

  • The CLI never sees your password — authentication happens in the browser against your existing Vibgrate (Clerk/GitHub) session.
  • The login code is single-use and expires after 15 minutes.
  • Only the minted DSN is stored locally; add ~/.vibgrate/ to your ignore rules if you keep a dotfiles repo.

Related Commands

No live demo for this command

vg login signs the CLI into Vibgrate Cloud through an interactive browser approval, so there is nothing fixed to replay. Follow the steps above to connect your workspace.

Related Documentation

Related Help Articles