Authentication

You need an API key to publish a mini-app. You do not need one to develop locally — the dev-server has no network dependency on the i99dash backend.

Interactive (recommended)

sdk-i99dash login

The CLI uses OAuth 2.0 Device Authorization Grant (RFC 8628):

1. The CLI asks the backend for a device code and a user code.
2. The CLI prints a URL and the user code, and opens the URL in your browser.
3. You log in to i99dash, paste the user code, and approve.
4. The CLI polls the backend. On approval it receives a long-lived API key and stores it in your OS keychain.

Nothing about your password / session cookie ever touches the CLI.

Where the key lives

Check via sdk-i99dash whoami.

Log out

sdk-i99dash logout

Purges the keychain entry (or deletes the fallback file).

CI / headless machines

Skip login entirely. Set:

export I99DASH_API_KEY="<value>"

The CLI prefers I99DASH_API_KEY over the keychain, so a CI runner with the env var set behaves identically to a logged-in dev.

To mint a CI key: run sdk-i99dash login on a dev machine, then copy the key out of the keychain and store it as a CI secret. Rotate periodically — see below.

Rotation

1. sdk-i99dash logout (clears the local copy)
2. sdk-i99dash login again (mints a new one)
3. The old key is invalidated server-side.

For shared service accounts, coordinate rotation across your team — there's no per-seat key in v1.

What the CLI does with the key

Exhaustively — network calls with the key attached:

1. GET /api/v1/dev/me (identity probe).
2. POST /api/v1/mini-apps/upload-url (publish).
3. PUT <presigned url> (publish, no auth header — presigned URL is the credential).
4. POST /api/v1/mini-apps/submit (publish).
5. GET /api/v1/mini-apps/mine (listing your apps; optional).

Nothing else.