Login
amika auth login authenticates with Amika using the WorkOS Device Authorization Flow.
Quick start
# Log in (opens browser)
amika auth login
# Check login status
amika auth status
# Log out
amika auth logout
How it works
- The CLI requests a device code from WorkOS.
- A user code is displayed and the browser opens for you to authorize.
- The CLI polls WorkOS until you complete authorization.
- The session (access token, refresh token, email, org) is saved to
${XDG_STATE_HOME}/amika/workos-session.json.
- Access tokens are automatically refreshed when they are within 60 seconds of expiry.
Session storage
The session file is stored at ~/.local/state/amika/workos-session.json by default (following XDG Base Directory conventions). File permissions are set to 0600.
The path can be overridden with the AMIKA_STATE_DIRECTORY environment variable.
| Command | Description |
|---|
amika auth status | Show current login status (email and org) |
amika auth logout | Remove the saved session |
Environment variables
| Variable | Default | Description |
|---|
AMIKA_API_URL | https://app.amika.dev | Override the remote API base URL. Used by sandbox commands when operating on remote sandboxes |
AMIKA_WORKOS_CLIENT_ID | | Override the default WorkOS client ID. If you change AMIKA_API_URL, you likely need to update this variable too |
Credential discovery
amika auth extract discovers locally stored API credentials from multiple coding agent tools and prints them as shell environment assignments.
You can use this to copy coding agent credentials into Amika’s web UI so you can
spin up ready-to-go sandboxes from the web.
Quick start
# Print detected assignments
amika auth extract
# Export into current shell
eval "$(amika auth extract --export)"
# Skip OAuth sources
amika auth extract --no-oauth
Supported sources
Amika reads sources in priority order.
| Priority | Source | Files | Providers |
|---|
| 500 | Claude API key | ~/.claude.json.api, ~/.claude.json | Anthropic |
| 400 | Claude OAuth | ~/.claude/.credentials.json, ~/.claude-oauth-credentials.json | Anthropic |
| 300 | Codex | ~/.codex/auth.json | OpenAI |
| 290 | Amika env cache | ${XDG_CACHE_HOME}/amika/env-cache.json | Any |
| 280 | Amika keychain | ${XDG_DATA_HOME}/amika/keychain.json | Any |
| 270 | Amika OAuth | ${XDG_STATE_HOME}/amika/oauth.json | Any |
| 200 | OpenCode | ~/.local/share/opencode/auth.json | Any |
| 100 | Amp | ~/.amp/config.json | Anthropic |
Output mapping
Amika normalizes provider names and exports common aliases:
- Anthropic keys output as both
ANTHROPIC_API_KEY and CLAUDE_API_KEY.
- OpenAI keys output as both
OPENAI_API_KEY and CODEX_API_KEY.
Example output:
ANTHROPIC_API_KEY='sk-ant-...'
CLAUDE_API_KEY='sk-ant-...'
OPENAI_API_KEY='sk-...'
CODEX_API_KEY='sk-...'
Provider canonicalization
Provider names are normalized before deduplication:
claude, anthropic → anthropiccodex, openai → openai- Other providers are lowercased, with separators normalized to hyphens
OAuth token handling
OAuth sources (claude_oauth, amika_oauth, Codex OAuth, OpenCode OAuth) are included by default. Use --no-oauth to skip them.
OAuth tokens with an expiresAt or expires timestamp are skipped if expired.
Flags
| Flag | Default | Description |
|---|
--export | false | Prefix lines with export |
--homedir <path> | $HOME | Override home directory for discovery |
--no-oauth | false | Skip OAuth credential sources |
Use --homedir in CI or test environments when you need deterministic credential fixtures.
