Authentication & Tokens
ThreatCL Cloud commands require authentication. The CLI supports device flow authentication, manually added tokens, and environment variable-based auth.
Login
The cloud login command authenticates you with ThreatCL Cloud using a device flow. You’ll be given a URL and a code to enter in your browser.
$ threatcl cloud loginIf you belong to multiple organizations, you will be prompted to select which organization to authenticate with. Tokens are stored locally for subsequent commands.
Login options
-org-id— specify the organization ID to log in to directly, skipping the selection prompt
Logout
The cloud logout command removes stored authentication tokens.
$ threatcl cloud logoutLogout options
-org-id— remove the token for a specific organization only-all— remove all stored tokens for all organizations
Whoami
The cloud whoami command displays information about the currently authenticated user and organization.
$ threatcl cloud whoami============================================================ ThreatCL Cloud - User Information============================================================
Current Organization: bba13a37-0d50-4470-a731-f57bf67ac6eb
User: ID: 121f2303-d80c-4c40-9598-5c72749eb0b6 Email: user@example.com ✓ Name: Example User
Organizations: Name: My Org ID: bba13a37-0d50-4470-a731-f57bf67ac6eb Slug: my-org Role: owner Subscription Tier: team Users: 1/100 Threat Models: 0/-1 Storage: 0 KB/0 KBToken Management
The cloud token subcommands provide fine-grained control over stored authentication tokens.
Token List
List all stored tokens:
$ threatcl cloud token listToken Add
Manually add an API token for an organization:
$ threatcl cloud token add -org-id=org_abc123 -token=tcl_mytokenToken Add options
-org-id— the organization ID to associate the token with-token— the API token value
Token Default
Get or set the default organization. When no organization is specified in a command, the default is used.
# View current default$ threatcl cloud token default
# Set a new default$ threatcl cloud token default -org-id=org_abc123Token Default options
-org-id— set this organization as the default
Token Remove
Remove a stored token for a specific organization:
$ threatcl cloud token remove -org-id=org_abc123Token Remove options
-org-id— the organization ID whose token should be removed
Token Resolution Priority
When a cloud command needs an authentication token, the CLI resolves it in the following order:
THREATCL_API_TOKENenvironment variable-tokenflag (if the command supports it)THREATCL_CLOUD_ORGenvironment variable (to select a stored token)- Default organization token (set via
cloud token default) - Single stored token (if only one organization token exists)
If none of these resolve to a valid token, the command will prompt you to run cloud login.