Overview
vg login connects the CLI to your Vibgrate workspace using a browser
approval flow (an OAuth 2.0 Device Authorization Grant). It's the easiest way for
an individual developer to authenticate: run one command, approve in the browser,
and the CLI is bound to your workspace — no secret to copy or paste.
Quick Start: Run vg login, approve the request in your browser, then run vg scan --push.
Usage
vg login [options]
Options
| Flag | Description |
|---|---|
--region <region> | Data residency region (default us). |
--ingest <url> | Custom ingest API host (overrides --region). |
--no-browser | Don't try to open a browser; just print the URL and code. |
--local | Store the credential in this project (.vibgrate/credentials.json) instead of your home directory. |
How it works
- You run
vg login. The CLI prints a short code (e.g.ABCD-2345) and a verification URL, and tries to open your browser. - In the browser you sign in — or create a free account if you're new — then pick a workspace (or create your first one) and approve the request.
- The platform mints a workspace-scoped DSN and the CLI stores it locally at
~/.vibgrate/credentials.json. - Subsequent
vg scan --push/vg pushruns are authenticated automatically.
Multi-region: pass --region eu (or --region apac) to log in against a specific
data-residency region; the minted DSN points at that region's ingest host.
Where the credential is stored
By default the credential is written to ~/.vibgrate/credentials.json in your
home directory — one login per machine, shared across every project, the usual
convention for CLI tools.
Pass --local to store it inside the current project instead, at
<project>/.vibgrate/credentials.json (anchored at the repo root, so it is still
found when you run commands from a subdirectory). Use this when different projects
should bind to different workspaces. When the credential lands inside a git repo,
vg login adds .vibgrate/credentials.json to .gitignore for you so the
secret is never committed. Once a project-local credential exists, later
vg scan --push / vg push runs in that project pick it up automatically —
you don't need to pass --local again.
To point the CLI at a specific file (for example in CI), set the
VIBGRATE_CREDENTIALS environment variable to that path; it overrides both the
home and project-local stores.
Credential precedence
When pushing, the CLI resolves credentials in this order:
- an explicit
--dsnflag, - the
VIBGRATE_DSNenvironment variable (use this in CI), - the credential saved by
vg login.
So login is for interactive laptops; CI and the scheduled AMI scanner should
keep using a DSN in VIBGRATE_DSN (see vg dsn create).
Logging out
vg logout
Removes the stored credential from ~/.vibgrate/credentials.json.
Security
- The CLI never sees your password — authentication happens in the browser against your existing Vibgrate (Clerk/GitHub) session.
- The login code is single-use and expires after 15 minutes.
- Only the minted DSN is stored locally; add
~/.vibgrate/to your ignore rules if you keep a dotfiles repo.
Related Commands
- vg push — upload scans after authenticating
- vg dsn create — non-interactive credentials for CI
- Getting Started — end-to-end first run