On a developer machine the CLI authenticates with an OAuth2 Authorization Code + PKCE flow. You run hexsign login, your browser handles the consent screen, the CLI captures the authorization code on a localhost callback, and the refresh token gets stashed in your OS keychain.
Sign in
hexsign login
The CLI opens identity.hexsign.net in your default browser. After you authenticate, the browser redirects to http://localhost:53682/callback with a one-time code; the CLI exchanges it for an ID token, an access token, and a refresh token, then prints Signed in as <email>.
Where credentials live
- Refresh token
- Stored in your OS keychain (macOS Keychain, Linux Secret Service, Windows Credential Manager) under the service name
hexsign-cli. Never written to disk in plain text. - ID and access tokens
- Cached in
~/.config/hexsign/tokens.json(or the platform equivalent) with0600perms. Short-lived; refreshed silently on every command. - Last username
- Saved in
~/.config/hexsign/config.jsonsohexsign whoamican answer without a network round-trip when the access token is still valid.
Confirm who you are
hexsign whoami # Signed in as steve@example.com (organization: Acme Apps)
Sign out
hexsign logout deletes the refresh token from your OS keychain and clears the cached access tokens from disk. Use it before handing the laptop to a colleague or when you've rotated to a new account.
hexsign logout # Signed out.
If port 53682 is in use
The OAuth callback listens on localhost:53682. If something else on your machine already owns that port, change it once and hexsign login will use the new value next time.
hexsign config set callback_port 53683 hexsign login