Skip to main content
The CLI keeps per-host credentials in ~/.config/breadbox/hosts.toml. Each entry has a name, a base URL, and an API key. You add hosts with breadbox auth login, switch with --host <name> or the BREADBOX_HOST env var, and drop credentials with breadbox auth logout. The CLI talks to the unauthenticated device-code endpoints under the hood — the long-lived bb_ key is never copied across an untrusted channel.

Three ways to add a host

Switching hosts

# Show every configured host and which is the default
breadbox auth status

# Pick a default host for this shell
export BREADBOX_HOST=production

# Or override per command
breadbox transactions list --host staging

# Or change the saved default
breadbox auth use production
--host accepts either a configured name (production) or a bare URL (https://breadbox.example.com). With a bare URL, the CLI falls back to BREADBOX_TOKEN from the environment, since there’s no hosts.toml entry to read from.

Checking what you’re authenticated as

breadbox auth whoami
# Host: production (https://breadbox.example.com)
# Actor: agent / reviewer (full_access)
whoami calls GET /api/v1/keys/me and prints the actor type (user / agent / system), the actor name, the host, and the key scope.

Environment variable overrides

VariablePurpose
BREADBOX_HOSTDefault host name or base URL for every command. Overrides auth use.
BREADBOX_TOKENAPI key to use when BREADBOX_HOST is a bare URL (no hosts.toml entry).
These overrides matter most in CI and container environments where you don’t want to bake credentials into hosts.toml.

Logging out

breadbox auth logout production    # drop one host
breadbox auth logout               # drop every host
Logout deletes the entry from hosts.toml. It does not revoke the key on the server — if you need to invalidate the credential too, run breadbox keys revoke <id> against a host that still has access, or revoke from the admin dashboard.

File layout

~/.config/breadbox/
└── hosts.toml         # API keys, host base URLs, default host marker
hosts.toml is plaintext. Protect it with chmod 600 (the CLI does this automatically on first write) and treat it as a secret. On macOS the file lives at ~/Library/Application Support/breadbox/hosts.toml only when XDG_CONFIG_HOME is unset — the CLI follows the XDG base directory spec.

Next steps

Output formats

JSON, NDJSON, field selection, exit codes.

Headless deployment

Patterns for agent and CI environments.
Last modified on May 27, 2026