Authentication

The Parix CLI authenticates with a browser-based OAuth flow using PKCE. Login stores a local session that the api, database, and tb commands use automatically.

Sign in

Run:

parix auth login

The command:

• starts a local loopback callback server on 127.0.0.1
• opens the Parix browser authorization flow
• requests consent for the first-party parix client
• exchanges the authorization code for tokens
• stores the session at ~/.config/parix/session.json

To target a local or non-default environment:

parix auth login --base-url http://localhost:5173

If the browser does not open automatically, the CLI prints the authorization URL so you can open it manually.

Check status

Run:

parix auth status

The status command validates the stored session, refreshes tokens when needed, and prints the current user and organization context.

Use a base URL override if needed:

parix auth status --base-url http://localhost:5173

Sign out

Run:

parix auth logout

This removes the local session file. It does not delete your Parix account or revoke organization membership.

Session file

The session is stored at:

~/.config/parix/session.json

Treat this file as sensitive. It contains an access token and may contain a refresh token. Do not commit it, share it, or copy it into logs.

Scopes

The CLI login requests scopes for identity, organization context, database reads, database writes, and billing reads:

openid profile email offline_access org:read db:read db:write billing:read

Read-only TigerBeetle operations require db:read. Database creation, database deletion, and TigerBeetle write operations require db:write.

Common fixes

If a command says no local session exists, run:

parix auth login

If the stored session points at the wrong Parix environment, rerun the command with --base-url or log out and sign in again:

parix auth logout
parix auth login --base-url http://localhost:5173

If token refresh fails, sign in again. The CLI will recreate the session file.