Authentication
Secure authentication for GitScrum CLI using OAuth 2.0 Device Authorization Grant. No passwords stored or transmitted.
Open Source β GitScrum CLI is open source under the MIT license. Available on GitHub and all major package managers. Built for developers β Tasks, timers, sprints, and analytics in your terminal. Git-aware. CI/CD ready.
The GitScrum CLI uses OAuth 2.0 Device Authorization Grant (RFC 8628) for secure, browser-based authentication. This is the same flow used by modern CLI tools like GitHub CLI and Azure CLI.
How It Works
The Device Flow
βββββββββββββββ 1. Request code βββββββββββββββ
β Terminal β βββββββββββββββββββββββΊ β GitScrum β
β β βββββββββββββββββββββββ β OAuth β
β β 2. Device code + β β
β β verification URL β β
βββββββββββββββ βββββββββββββββ
β β²
β 3. User opens URL β
β in browser β 5. Validate
βΌ β login
βββββββββββββββ 4. User logs in βββββββββββββββ
β Browser β βββββββββββββββββββββββΊ β GitScrum β
β β β Login β
βββββββββββββββ βββββββββββββββ
β
β 6. CLI receives access token
βΌ
βββββββββββββββ
β Terminal β β Authenticated!
βββββββββββββββWhy Device Flow?
- No password handling. The CLI never sees your password.
- MFA compatible. Use any 2FA method you have configured.
- Revocable. Revoke CLI access without changing your password.
- Scoped. Tokens have limited permissions.
Login
gitscrum auth loginThe CLI displays a code and opens your browser:
Opening browser to complete authentication...
If the browser doesn't open, visit:
https://gitscrum.com/device
And enter this code:
ABCD-EFGH
Waiting for authentication...After you authorize in the browser:
Authentication successful!
Logged in as John Doe (john@example.com)Check Status
gitscrum auth statusAuthenticated: Yes
User: John Doe (john@example.com)
Workspace: my-company
Token expires: Feb 15, 2026 09:30 UTCWho Am I?
gitscrum auth whoamiLogged in as John Doe (john@example.com)Logout
gitscrum auth logoutThis removes stored credentials from ~/.gitscrum/token.json.
Token Storage
OAuth tokens are stored locally:
| Platform | Location |
|---|---|
| Linux/macOS | ~/.gitscrum/token.json |
| Windows | %USERPROFILE%\.gitscrum\token.json |
File permissions are set to 0600 (owner read/write only).
Token Format
{
"access_token": "eyJ...",
"refresh_token": "eyJ...",
"token_type": "Bearer",
"expires_at": "2026-02-15T09:30:00Z"
}Token Refresh
Access tokens expire after 24 hours. The CLI automatically refreshes tokens using the refresh token. If the refresh token expires (7 days of inactivity), you'll need to auth login again.
CI/CD Authentication
For headless environments (CI/CD pipelines, servers), use environment variable authentication:
export GITSCRUM_ACCESS_TOKEN="your-oauth-access-token"Obtaining a CI/CD Token
- Run
gitscrum auth loginlocally - Copy the
access_tokenfrom~/.gitscrum/token.json - Add it as a secret in your CI/CD platform
GitHub Actions
env:
GITSCRUM_ACCESS_TOKEN: ${{ secrets.GITSCRUM_ACCESS_TOKEN }}
steps:
- name: Update task
run: gitscrum tasks update GS-1234 --status doneGitLab CI
variables:
GITSCRUM_ACCESS_TOKEN: $GITSCRUM_ACCESS_TOKEN
script:
- gitscrum tasks update GS-1234 --status doneMultiple Accounts
The CLI supports one authenticated user at a time. To switch accounts:
gitscrum auth logout
gitscrum auth login # Log in as different userTroubleshooting
Browser Doesn't Open
If the browser doesn't open automatically:
- Copy the URL from the terminal
- Paste it into your browser manually
- Enter the code shown in the terminal
Token Expired
Error: Token expired. Please run: gitscrum auth loginRun gitscrum auth login to re-authenticate.
Behind a Proxy
Set proxy environment variables:
export HTTP_PROXY=http://proxy.example.com:8080
export HTTPS_PROXY=http://proxy.example.com:8080Firewall Issues
The CLI needs HTTPS access to:
api.gitscrum.comβ API requestsgitscrum.comβ OAuth authorization
Ensure these domains are allowed.