On a developer machine the CLI authenticates with an OAuth2 Authorization Code + PKCE flow. You run `hexsign login`, your browser handles the consent screen, the CLI captures the authorization code on a localhost callback, and the refresh token gets stashed in your OS keychain.
Sign in
hexsign login
The CLI opens `identity.hexsign.net` in your default browser. After you authenticate, the browser redirects to `http://localhost:53682/callback` with a one-time code; the CLI exchanges it for an ID token, an access token, and a refresh token, then prints `Signed in as <email>`.
Where credentials live
- Refresh token
- Stored in your OS keychain (macOS Keychain, Linux Secret Service, Windows Credential Manager) under the service name `hexsign-cli`. Never written to disk in plain text.
- ID and access tokens
- Cached in `~/.config/hexsign/tokens.json` (or the platform equivalent) with `0600` perms. Short-lived; refreshed silently on every command.
- Last username
- Saved in `~/.config/hexsign/config.json` so `hexsign whoami` can answer without a network round-trip when the access token is still valid.
Confirm who you are
hexsign whoami # Signed in as steve@example.com (organization: Acme Apps)
Sign out
`hexsign logout` deletes the refresh token from your OS keychain and clears the cached access tokens from disk. Use it before handing the laptop to a colleague or when you've rotated to a new account.
hexsign logout # Signed out.
If port 53682 is in use
The OAuth callback listens on `localhost:53682`. If something else on your machine already owns that port, change it once and `hexsign login` will use the new value next time.
hexsign config set callback_port 53683 hexsign login