| summary | Auth overview: GitHub OAuth (web) + API tokens (CLI). | ||
|---|---|---|---|
| read_when |
|
- Convex Auth + GitHub OAuth App.
- GitHub is the only supported login provider.
- Disabled/banned accounts are blocked during OAuth completion and should surface a user-facing reason instead of a generic auth failure.
- Env vars:
AUTH_GITHUB_IDAUTH_GITHUB_SECRETCONVEX_SITE_URL(used by auth config)
Local setup steps are in the repo root README.md.
The CLI uses a long-lived API token (Bearer token) for publish/sync/delete.
clawhub login does:
- Starts a loopback HTTP server on
127.0.0.1(random port). - Opens
<site>/cli/auth?redirect_uri=http://127.0.0.1:<port>/callback&state=.... - Web UI requires GitHub login, then creates a token and redirects back to the loopback server.
- CLI stores the token in the global config file.
Create a token in the web UI (Settings → API tokens) and paste it:
clawhub login --token clh_...Default global config path:
- macOS:
~/Library/Application Support/clawhub/config.json
Override:
CLAWHUB_CONFIG_PATH=/path/to/config.json(legacyCLAWDHUB_CONFIG_PATH)
- Tokens can be revoked in the web UI.
- Revoked tokens return
401 Unauthorizedon CLI endpoints.