Authentication
The EAI CLI authenticates with Microsoft Entra ID (CIAM) to access platform services. All API calls through the CLI use your authenticated session.
Login
eai login
This opens a browser window for Entra CIAM authentication. After signing in, the CLI stores your tokens locally.
Options
| Flag | Description | Default |
|---|---|---|
--tenant-name <name> | CIAM tenant name | eaidevmyentepriseai |
--tenant-id <id> | CIAM tenant GUID | Platform default |
--client-id <id> | App registration client ID | From .env.local |
--scope <scope> | OAuth scopes | openid profile email offline_access |
Custom Tenant Authentication
For verticals with their own Entra ID tenant:
eai login --tenant-name my-ciam-tenant --client-id 12dcbf85-xxxx-xxxx-xxxx
Check Auth Status
eai whoami
Displays:
- Authenticated user email
- Current tenant scope
- Token expiry status
- Granted permissions
Logout
eai logout
Clears all stored authentication tokens from your machine.
Token Flow
The following diagram illustrates how the CLI handles authentication tokens:
eai login
-> Opens browser -> Entra CIAM sign-in
-> Receives authorization code
-> Exchanges for access + refresh tokens
-> Stores securely in ~/.eai/credentials
eai <any command>
-> Reads stored access token
-> If expired -> uses refresh token to get new access token
-> Attaches Authorization: Bearer <token> to API calls
-> PublicAPI validates JWT -> OPA checks permissions
Key points:
- Tokens are stored in
~/.eai/credentialson your local machine. - The CLI automatically refreshes expired access tokens using the stored refresh token.
- Every API call includes a Bearer token in the
Authorizationheader. - The platform validates JWTs and enforces permissions through OPA (Open Policy Agent).
Environment Variables
The CLI reads auth-related variables from .env.local as fallbacks when command-line flags are not provided:
| Variable | Description | Required |
|---|---|---|
ENTRA_TENANT_NAME | CIAM tenant name (e.g., eaidevmyentepriseai) | Yes |
ENTRA_TENANT_ID | CIAM tenant GUID | Yes |
ENTRA_CLIENT_ID | App registration client ID | Yes |
ENTRA_CLIENT_SECRET | Client secret (only for client credentials flow) | Only for service accounts |
Example .env.local configuration:
ENTRA_TENANT_NAME=eaidevmyentepriseai
ENTRA_TENANT_ID=50808ce0-xxxx-xxxx-xxxx
ENTRA_CLIENT_ID=12dcbf85-xxxx-xxxx-xxxx
ENTRA_CLIENT_SECRET=<secret> # Only needed for client credentials
Use eai env pull to automatically populate your .env.local with the correct values from the cloud configuration. See eai env for details.
Troubleshooting
"Token expired" errors
If your tokens have expired beyond the refresh window, log out and log in again:
eai logout && eai login
"Unauthorized" on API calls
Check that your user is provisioned in the target tenant:
eai whoami
# Verify the tenant scope matches your target
If the tenant scope is incorrect, log in again with the correct tenant:
eai login --tenant-name <correct-tenant>
Browser does not open
If the browser does not open automatically during login, set the BROWSER environment variable:
BROWSER=firefox eai login
You can also try copying the URL printed in the terminal and pasting it into your browser manually.
Using the CLI in CI/CD Pipelines
For non-interactive environments (such as CI/CD pipelines), use the client credentials flow by setting the ENTRA_CLIENT_SECRET environment variable along with the other auth variables. The CLI will detect the service account configuration and authenticate without opening a browser.
Related Commands
eai env pull-- Sync cloud configuration including auth variableseai verify-- Check platform connectivity and auth validityeai doctor-- Diagnose authentication issues