Open
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
3 tasks
lohnim
force-pushed
the
chris/auth
branch
2 times, most recently
from
4fb8611 to
f2676aa
Compare
Browser-based CLI authentication via localhost callback with PKCE (Proof Key for Code Exchange) to bind auth codes to the originating CLI instance. - `alchemy auth` / `alchemy auth login` — browser login (skips if valid token exists) - `alchemy auth login --force` — force re-authentication - `alchemy auth status` — show auth state - `alchemy auth logout` — revoke server-side + clear local token 1. Generate PKCE code_verifier/code_challenge 2. Open browser to authchemy with challenge in URL 3. Receive auth code via localhost:16424/callback 4. Exchange code + verifier via POST /api/cli/token 5. Save token + expiresAt to ~/.config/alchemy/config.json - performBrowserLogin() shared between login command and auth-retry - withAuthRetry() helper for automatic 401 re-authentication - resolveAuthToken() with expiry check (single source of truth) - adminClientFromFlags() falls back to auth token when no access key - auth_token recognized as valid setup method in onboarding - Server-returned expiresAt used instead of client-side computation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ing or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
CodesMcCabe
approved these changes
Mar 26, 2026
Comment on lines
+14
to
+16
| const SUCCESS_HTML = `<!DOCTYPE html> | ||
| <html> | ||
| <head><title>Alchemy CLI</title> |
Collaborator
There was a problem hiding this comment.
can we pull this out to a separate file?
| } | ||
| }); | ||
|
|
||
| server.listen(port); |
Collaborator
There was a problem hiding this comment.
Should we bind explicitly to 127.0.0.1 here?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
alchemy authcommand with browser-based OAuth authorization code flowalchemy auth login(default),alchemy auth status,alchemy auth logoutexpires_in_seconds(default 90 days) — server controls the capwithAuthRetry()helper for automatic 401 re-authenticationadminClientFromFlags()falls back to auth token when no access key is setHow it works
localhost:16424https://auth.alchemy.com/login?redirectUrl=http://localhost:16424/callback?code=<code>POST /api/cli/token { code, redirect_uri, expires_in_seconds }{ authToken, expiresAt, expiresInSeconds }~/.config/alchemy/config.jsonwith0600permissionsNew files
src/lib/auth.ts— HTTP callback server, browser open, code exchangesrc/commands/auth.ts—alchemy authcommand (login/status/logout)src/lib/auth-retry.ts—withAuthRetry()for automatic 401 re-authModified files
src/lib/config.ts—auth_token+auth_token_expires_atfieldssrc/lib/resolve.ts—resolveAuthToken(), auth token fallback inadminClientFromFlags()src/lib/errors.ts— UpdatederrAuthRequired()hintsrc/lib/onboarding.ts—auth_tokenas valid setup methodsrc/index.ts— Register auth commandCompanion PR
Test plan
alchemy auth— verify browser opens and token savedalchemy auth status— verify authenticated statealchemy auth logout— verify token cleared--jsonoutput modes