Authentication
Sign in, sign out, check who you are, and manage your recovery code.
klef login
Sign in via a browser device-auth flow and unlock your encryption password.
klef loginKlef opens your browser so you can sign in with a magic link, Google, or GitHub. The CLI itself never speaks to an OAuth provider. After the browser hands the session back, the CLI prompts for your encryption password and derives your keys locally.
Options
| Flag | Description |
|---|---|
--otp | Use the magic-link OTP fallback instead of opening a browser. |
--recover | Reset a forgotten password using your recovery code. |
Use --otp on a headless machine or any environment where a browser cannot be
opened:
klef login --otpUse --recover if you have forgotten your encryption password and have your
recovery code:
klef login --recoverRecovery requires the recovery code shown once at signup. Klef cannot reset your password for you, because it never sees it.
klef logout
Sign out and clear the local session token from your OS keychain.
klef logoutklef whoami
Print the email of the signed-in account. Exits non-zero if you are not signed in, which makes it useful in scripts.
klef whoamiklef recovery
Regenerate your recovery code. This re-prompts for your encryption password and prints a fresh recovery code, invalidating the old one.
klef recoveryStore the recovery code somewhere safe
It is shown once. A password manager or printed copy in a safe place are good options. Without it, a forgotten encryption password cannot be recovered.