LogInClientCredentials
Non-interactive login using OAuth2 client_credentials. Reads credentials from -id/-s arguments or OCTO_CLI_CLIENT_ID/OCTO_CLI_CLIENT_SECRET env vars. Tenant comes from the active context.
Examples
Headless run ΓÇö export credentials, then login:
octo-cli -c LogInClientCredentials
Or using shell args directly (args take precedence over env vars):
octo-cli -c LogInClientCredentials -id "my-script-client" -s "<secret>"
Options
| Short | Long | Required | Description |
|---|---|---|---|
-id | --clientId | no | Client ID. Falls back to env var OCTO_CLI_CLIENT_ID |
-s | --secret | no | Client secret. Falls back to env var OCTO_CLI_CLIENT_SECRET |
Notes
Tenant comes from the active context. Switch contexts (e.g. octo-cli -c UseContext -n prod) to target a different tenant. The login fails fast if the active context has no TenantId.
The client is per-tenant. If a script needs to address multiple tenants, create one client_credentials client per tenant and switch contexts before each login.
No refresh token is issued (per OAuth2 spec for client_credentials). While OCTO_CLI_CLIENT_ID and OCTO_CLI_CLIENT_SECRET remain set in the environment, octo-cli automatically re-acquires the token when it expires ΓÇö long-running scripts do not need to call LogInClientCredentials again between commands. If the env vars are unset, the next API call after expiry returns 401 and you must re-run the login.
The token is stored in the active context's Authentication block, exactly like a device-code token.