Documentation Index
Fetch the complete documentation index at: https://mintlify.com/plawio/veto/llms.txt
Use this file to discover all available pages before exploring further.
The veto cloud command manages authentication and context for Veto Cloud.
Syntax
veto cloud <subcommand> [options]
Subcommands
login
Authenticate with Veto Cloud using device flow.
veto cloud login [--base-url <url>]
whoami
Show active account and organization context.
veto cloud whoami [--base-url <url>] [--json]
org use
Switch active organization.
veto cloud org use <org-id>
project use
Switch active project.
veto cloud project use <project-id>
logout
Clear local cloud session.
Options
Base URL
Override cloud API base URL (default: https://api.veto.so).
Example:
--base-url https://staging.veto.so
JSON Output
Output result as JSON instead of human-readable text.
Example:
Examples
Login
Output:
Veto Cloud Login
================
Opening browser to authenticate...
Please visit: https://app.veto.so/device?code=ABC-123
Waiting for authentication...
✓ Authenticated successfully!
User: john@example.com
Organization: Acme Corp (org_abc123)
Project: my-agent-app (proj_xyz789)
Session saved to: ~/.veto/cloud-session.json
Check Current Context
Output:
Veto Cloud Session
==================
User:
Email: john@example.com
Name: John Doe
ID: user_abc123
Organization:
Name: Acme Corp
ID: org_abc123
Project:
Name: my-agent-app
ID: proj_xyz789
API URL: https://api.veto.so
Session: Active
Switch Organization
veto cloud org use org_xyz456
✓ Switched to organization: org_xyz456
Organization context updated.
Run 'veto cloud whoami' to verify.
Switch Project
veto cloud project use proj_new789
✓ Switched to project: proj_new789
Project context updated.
Run 'veto cloud whoami' to verify.
Logout
Output:
✓ Logged out successfully
Cloud session cleared.
Run 'veto cloud login' to authenticate again.
JSON Output
Output:
{
"ok": true,
"data": {
"user": {
"id": "user_abc123",
"email": "john@example.com",
"name": "John Doe"
},
"organization": {
"id": "org_abc123",
"name": "Acme Corp"
},
"project": {
"id": "proj_xyz789",
"name": "my-agent-app"
},
"baseUrl": "https://api.veto.so",
"authenticated": true
}
}
Authentication Methods
Device Flow (Default)
- CLI generates device code
- Opens browser to https://app.veto.so/device
- User enters code and approves
- CLI receives access token
- Token saved to
~/.veto/cloud-session.json
API Key (Alternative)
export VETO_API_KEY=veto_live_abc123...
veto cloud whoami
Session Storage
Location
~/.veto/cloud-session.json
{
"baseUrl": "https://api.veto.so",
"accessToken": "...",
"refreshToken": "...",
"accessTokenExpiresAt": "2024-03-05T12:00:00.000Z",
"organizationId": "org_abc123",
"projectId": "proj_xyz789",
"user": {
"id": "user_abc123",
"email": "john@example.com",
"name": "John Doe"
}
}
Security
- File is only readable by owner (chmod 600)
- Contains sensitive tokens - do not share
- Automatically refreshed when expired
Use Cases
Team Collaboration
# Each developer authenticates
veto cloud login
# Share organization and project IDs (not tokens!)
veto cloud org use org_team_abc
veto cloud project use proj_shared_xyz
# Deploy policies to shared project
veto policy apply --file ./rules.yaml --target cloud
Multi-Environment Workflow
# Development
veto cloud project use proj_dev_123
veto policy apply --file ./rules.yaml --target cloud
# Staging
veto cloud project use proj_staging_456
veto policy apply --file ./rules.yaml --target cloud
# Production
veto cloud project use proj_prod_789
veto policy apply --file ./rules.yaml --target cloud
CI/CD Authentication
# .github/workflows/deploy.yml
name: Deploy Policies
env:
VETO_API_KEY: ${{ secrets.VETO_API_KEY }}
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: npm install -g veto-cli
- run: veto cloud whoami # Verify auth
- run: veto policy apply --file ./rules.yaml --target cloud
Switching Between Accounts
# Log out of current account
veto cloud logout
# Log in with different account
veto cloud login
# Or use different API key
export VETO_API_KEY=veto_live_different_key
Troubleshooting
Login Failed
Error: Authentication failed: Device code expired
# Try again (code expires after 5 minutes)
veto cloud login
# Or use API key
export VETO_API_KEY=your-key-here
veto cloud whoami
Session Expired
Error: Unauthorized: Access token expired
# Session auto-refreshes, but if it fails:
veto cloud login
# Or use fresh API key
export VETO_API_KEY=your-key-here
Organization Not Found
Error: Organization 'org_xyz' not found or access denied
# Check available organizations
veto cloud whoami
# Contact org admin for access
# Or use correct org ID
veto cloud org use org_correct_id
Network Issues
Error: Unable to connect to https://api.veto.so
# Check connectivity
curl https://api.veto.so/health
# Check firewall/proxy settings
echo $HTTP_PROXY
echo $HTTPS_PROXY
# Use custom base URL if needed
veto cloud login --base-url https://custom.veto.so
Best Practices
1. Use Device Flow for Development
# For local development
veto cloud login
2. Use API Keys for CI/CD
# For automated workflows
export VETO_API_KEY=${{ secrets.VETO_API_KEY }}
3. Never Commit Credentials
# .gitignore
.veto/
.env
*.secret
4. Rotate Keys Regularly
# Generate new API key in web UI
# https://app.veto.so/settings/api-keys
# Update in CI secrets
# Update local .env files
5. Use Project Context
# Set once, use everywhere
veto cloud project use proj_abc123
veto policy apply --file ./rules.yaml --target cloud
veto guard check --tool xyz --args '{}' --mode cloud
Environment Variables
VETO_API_KEY
API key for authentication (takes precedence over device flow).
export VETO_API_KEY=veto_live_abc123...
VETO_API_URL
Override cloud API base URL.
export VETO_API_URL=https://staging.veto.so
Next Steps
