Get an API key

tomoul auth

Log in once so `--cloud` knows who you are. Stores an API key in your OS keychain — never in a plaintext file.

Log in

$ tomoul auth login
 Opening https://tomoul.ai/cli-auth?code=ABC-123 in your browser...
  Logged in as [email protected]

OAuth flow opens a browser, you confirm, the CLI receives a key. No copy-paste.

Log out

tomoul auth logout

Deletes the stored key.

Whoami

$ tomoul auth whoami
[email protected] (org: razorbill, key: tomoul_sk_•••abcd)

Env var alternative

If you'd rather skip the OAuth flow — CI, containers, scripted setup — set TOMOUL_KEY in the environment. The CLI prefers env var over keychain when both are set.

export TOMOUL_KEY=tomoul_sk_...
tomoul serve phi-4 --cloud   # works without `auth login`

Where the key lives

OSStorage
macOSKeychain (entry: tomoul.ai).
Linuxlibsecret (gnome-keyring / kwallet). Falls back to ~/.config/tomoul/credentials (mode 0600) if no secret service.
WindowsCredential Manager.

The CLI never writes the key in cleartext to a config file unless the OS has no secret store.

← Previous
tomoul models
Next →
tomoul cloud
Last updated 13 May 2026Edit this page on GitHub