Login

The simplest way

logi login

Your browser opens automatically. Sign in at start.1pass.dev, click "Allow logi-cli" once, and you're done.

This works the same way as GitHub's gh auth login and Vercel's vercel login. You never type your password into the terminal, so it stays secure.

When you have no browser (servers, SSH, Docker)

logi login --code

A short code (for example, AB12-CD34) appears on screen. Open start.1pass.dev/cli/activate in a browser on another device, enter the code, and the CLI signs in automatically.

Where credentials are stored

~/.config/logi/credentials.json   (chmod 600)

The token itself is never displayed. To check only which account is signed in:

logi whoami
# → dev@example.com (Personal org)

Login via environment variable (CI)

In a CI/CD environment where you can't launch a browser, supply a pre-issued PAK (Personal API Key) through an environment variable:

export LOGI_API_KEY=lpa_pat_xxxxxxxxxxxxx
logi apps list   # the login step is skipped automatically

Issue a PAK at start.1pass.dev/settings/api-keys.

Logout

logi logout

logi logout only deletes your local credentials (~/.config/logi/credentials.json). To revoke a PAK on the server side, use Developer Console → API Keys → Revoke.

If you want to understand the flow

Browser OAuth follows the PKCE standard exactly. Headless mode uses the Device Flow (RFC 8628) pattern.