Authentication
lb supports two authentication methods: browser-based OAuth (interactive) and API key (non-interactive).
Browser OAuth
Section titled “Browser OAuth”Run lb login to authenticate:
lb loginThe CLI opens your default browser to the LoomBrain dashboard login page. After you complete login, the browser redirects to a local callback server, and the CLI writes credentials to disk. The browser window can be closed.
The flow times out after 5 minutes if no callback is received.
Non-interactive mode
Section titled “Non-interactive mode”When a TTY is not available or certain environment variables are set, lb detects that it is running non-interactively and skips the browser flow. Non-interactive mode is triggered by any of the following:
| Signal | Description |
|---|---|
SSH_CONNECTION set | Running over SSH |
SSH_CLIENT set | Running over SSH (older clients) |
SSH_TTY set | SSH with a TTY allocated |
CI=true set | Running in CI |
LB_NON_INTERACTIVE=1 set | Explicitly forced |
In non-interactive mode, lb login exits with an error. Use API key auth instead.
You can also force non-interactive mode explicitly:
lb login --non-interactiveAPI key auth
Section titled “API key auth”Generate an API key in the LoomBrain dashboard under Settings → API Keys, then export it as an environment variable:
export LB_TOKEN=lbk_...When LB_TOKEN is set, the CLI uses it directly on every request. No lb login step is required. This is the recommended approach for CI pipelines, scripts, and server environments.
Config file
Section titled “Config file”OAuth credentials are stored in:
~/.config/loombrain/config.jsonThe file contains the refresh token and cached access token. It is created on first successful lb login and updated automatically on token refresh.
Token lifecycle
Section titled “Token lifecycle”| Token | Lifetime | Notes |
|---|---|---|
| Access token | 15 minutes | Sent as Authorization: Bearer on every request |
| Refresh token | 30 days | Stored in config file; used to obtain a new access token silently |
Token refresh is automatic. When a request fails with 401 and a refresh token is available, the CLI exchanges it for a new access token and retries the request transparently. If the refresh token is expired or revoked, lb prompts you to run lb login again.