Authentication
How CLI authentication works. Interactive login with device auth, API keys for CI/CD, and credential storage.
The CLI supports two authentication methods: interactive login for development and API keys for CI/CD.
Interactive Login (Recommended)
The CLI uses OAuth 2.0 Device Authorization to authenticate:
quickback loginA code is displayed in your terminal. Approve it in your browser and you're authenticated. See the CLI Reference for the full flow.
Credentials are stored at ~/.quickback/credentials.json and include your session token, user info, and active organization.
API Key (CI/CD)
For non-interactive environments (CI/CD, scripts), use an API key:
QUICKBACK_API_KEY=your_api_key quickback compileCreate API keys from your Quickback account. Each key is scoped to your organization.
The API key takes precedence over stored credentials from quickback login.
How Tokens Are Validated
The compiler-cloud worker validates authentication by forwarding your token to the Quickback API's /internal/validate endpoint via a Cloudflare service binding. This resolves both session tokens (from quickback login) and API keys (from QUICKBACK_API_KEY).
Credential Storage
Credentials are stored at ~/.quickback/credentials.json:
{
"token": "...",
"user": {
"id": "...",
"email": "paul@example.com",
"name": "Paul Stenhouse",
"tier": "free"
},
"expiresAt": "2026-02-16T01:42:21.519Z",
"organization": {
"id": "...",
"name": "Acme",
"slug": "acme"
}
}Sessions expire after 7 days. Run quickback login again to re-authenticate.
Organizations
After login, the CLI auto-selects your organization:
- One organization — automatically set as active.
- Multiple organizations — you're prompted to choose one.
The active organization is stored in your credentials and sent with compile requests, so the compiler knows which org context to use.