Authentication
The CLI authenticates through your browser: you sign in on the AlertaVuln web app, and a session token is handed back to the CLI over a one-time localhost callback. No credentials are ever typed into the terminal.
How av login works
Section titled “How av login works”av login-
The CLI starts a one-time HTTP listener on a random
127.0.0.1port and generates a random state value to protect the callback against CSRF. -
Your browser opens at the AlertaVuln sign-in page, carrying the callback port and state. If the browser can’t be opened automatically, the URL is printed so you can visit it by hand.
-
You authenticate on the web - Entra/Microsoft, Google, or email.
-
The browser hands the session token back to the CLI over the localhost callback. The CLI verifies the state value, saves the token, and prints
Logged in as <email>.
av login waits up to three minutes for the browser sign-in to complete
(Ctrl-C to abort), then times out.
Check your session at any time:
av whoamiav whoami prints the signed-in email and the API URL the CLI resolved for
this invocation. av logout clears the stored token and email.
Where the token lives
Section titled “Where the token lives”The token is cached in config.json under your platform’s user config
directory:
| Platform | Path |
|---|---|
| Linux | $XDG_CONFIG_HOME/alertavuln/config.json (defaults to ~/.config/alertavuln/config.json) |
| macOS | ~/Library/Application Support/alertavuln/config.json |
| Windows | %AppData%\alertavuln\config.json |
The file stores only the token and your email, and is written with owner-only
permissions (0600, directory 0700) on Unix-like systems.
Commands that talk to the API require a token and fail with
not logged in - run 'alertavuln login' first when none is stored. The one
notable exception: a local av sast scan runs without any login, as long as
you don’t upload results with --project.
How the CLI resolves the API URL
Section titled “How the CLI resolves the API URL”Every invocation resolves the API base URL fresh, in this order:
| Precedence | Source | Scope |
|---|---|---|
| 1 | --api-url flag |
this invocation only |
| 2 | ALERTAVULN_API_URL environment variable |
current shell / CI job |
| 3 | Default: https://alertavuln.com |
- |
--api-url is a global flag, available on every command:
av --api-url https://your-instance.example.com loginSee also
Section titled “See also”- Quickstart - install, sign in, and get your first verdict.
av login- command reference.- Install the CLI - installers, checksums, and versions.