Every Groniz CLI command communicates with the Groniz API and requires valid credentials before it will do anything. If no credentials are present the command exits immediately with an authentication error. Two methods are supported — OAuth2 device flow and API key — and understanding which one to use matters especially for AI agent workflows, where credentials must survive across multiple shell sessions and agent invocations rather than existing only for the lifetime of a single terminal export.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/groniz/groniz-cli/llms.txt
Use this file to discover all available pages before exploring further.
Option 1: OAuth2 device flow (recommended)
The OAuth2 device flow is the recommended method for interactive use: local development, personal machines, and agents running in your development environment.- Requests a short-lived one-time code from the Groniz authorization server.
- Prints the code and a URL in your terminal.
- Waits while you open the URL in your browser and approve access.
- Exchanges the approved authorization for a token and writes it to
~/.groniz/credentials.json.
~/.groniz/credentials.json
Best for: interactive sessions, local development, local AI agents (Claude Code, Cursor, etc.)
Option 2: API key
API keys are better suited to environments where browser-based authorization is not practical: CI/CD pipelines, Docker containers, and headless agents.Generate an API key
Open the Groniz Console API Keys page, create a new key, and copy the value immediately — it is only shown once.Set the environment variable
Credential priority
When both~/.groniz/credentials.json and the GRONIZ_API_KEY environment variable are present, OAuth2 credentials take priority. The API key is used only when no OAuth2 token is found.
| Present | Used |
|---|---|
| OAuth2 token only | OAuth2 token |
| API key only | API key |
| Both | OAuth2 token |
Managing credentials
Verify your identity
groniz whoami any time you want to confirm which account the CLI is authenticated as, or to verify that credentials were loaded correctly in a new environment.
Remove stored credentials
~/.groniz/credentials.json. It does not revoke OAuth2 tokens on the server side — if you need to fully revoke access, do so from the Groniz Console.