Most CLI commands require an active Iris Pro licence. Authenticate via the browser OAuth flow for local development, or pass a licence token as an environment variable for non-interactive CI runners — no login step needed on the runner.
Authentication commands
# Browser-based OAuth (interactive)
iris auth login
# Licence token (non-interactive)
iris auth login --token sk_live_your_licence_key_here
# Confirm active session
iris auth status
# Remove stored credentials
iris auth logout
How credentials are stored
Both the browser flow and the token flow write to ~/.iris/credentials. The file is created with chmod 600 so only the current user can read it.
Add ~/.iris/ to your global gitignore to prevent accidentally committing credentials to a repository.
Priority order
The CLI resolves credentials in this order:
IRIS_LICENCE_TOKEN environment variable — checked first; takes precedence over the credentials file- Credentials file at
~/.iris/credentials — written by iris auth login or iris auth login --token
Using IRIS_LICENCE_TOKEN in CI
The environment variable is the recommended approach for CI runners. It avoids writing any files to the runner filesystem and is revoked simply by rotating the secret in your repository settings.
# Set for current shell session
export IRIS_LICENCE_TOKEN=sk_live_your_licence_key_here
# Or inline for a single command
IRIS_LICENCE_TOKEN=sk_live_your_licence_key_here iris gate
- Add your licence key as a repository secret named
IRIS_LICENCE_TOKEN in your CI provider settings.
- Reference the secret as the
IRIS_LICENCE_TOKEN environment variable in the workflow step that runs Iris.
- The CLI reads the env var automatically — no
iris auth login step is required on the runner.
iris secrets runs without any authentication at all — it is free and requires no licence. You can use it in any pipeline without setting IRIS_LICENCE_TOKEN.
