Signing in

slothbox login runs a standard OAuth 2.0 authorization-code flow with PKCE against the Slothbox web app. It opens your browser, starts a temporary loopback server on a random local port to catch the callback, then exchanges the code for an access + refresh token pair.

Tokens are written to your OS config directory with 0600 permissions — ~/.config/slothbox/auth.json on Linux, ~/Library/Application Support/slothbox/auth.json on macOS. slothbox logout deletes that file.

This is the same Cognito-backed sign-in the web app uses; see Authentication for how the underlying tokens work.

:::info For a human at the keyboard, not for CI slothbox login is an interactive OAuth flow for humans — it opens a browser and hands back a short-lived, refreshed session, so it suits a person working at their machine. CI pipelines and unattended scripts have no browser to sign in with and should authenticate with an org-level service-account API key instead. Put the organization on the API plan and follow the headless guide. :::