GCA · GETTING STARTED

    Authentication

    Authenticate once with a developer-portal token — every command works thereafter, online or offline.

    Authentication

    Gadriel is license-gated. Authenticate once with a token from the developer portal, and every command works thereafter — online or offline.

    Before Gadriel will scan, it must find a valid license token. This page covers logging in, where the token lives, the license gate, the token format, and offline operation.


    Log in

    Get a token from the developer portal at https://app.gadriel.ai/developers/, then paste it into:

    gadriel auth login

    You'll be prompted to paste the token. For non-interactive / scripted use, pass it directly:

    gadriel auth login --token "<tenant>_pf_live_xxxxxxxxxxxx"
    NOTE

    the legacy --email / --password flags have been removed — there is no password-grant flow. If you pass them, the CLI returns a clear error pointing you at the portal. Use a portal-minted token instead.

    On success, the token is cached and validated. All future gadriel and gadriel code commands run without re-authenticating.


    Where the token is cached

    The token is written to:

    ~/.gadriel/auth/token.jwt   (file mode 0600 — owner read/write only)
    

    The restrictive 0600 permission keeps the token readable only by your user account.


    Token format

    Tokens are opaque, tenant-prefixed strings of the form:

    <tenant_slug>_pf_live_<random>
    
    • The tenant prefix is validated against your CLI's configured tenant. If you paste a token for the wrong tenant, Gadriel detects the mismatch before any scanning work runs.
    • The token is server-validated — Gadriel does not decode secret claims locally.
    • The _pf_live_ infix is shell-safe for copy/paste.

    The license gate

    Every scanning invocation is license-gated. If the token is missing, invalid, expired, or for the wrong tenant, the command fails with:

    exit code 7
    

    along with a message pointing you at gadriel auth login. Exit code 7 is the dedicated "license" exit code in Gadriel's contract.

    The four gadriel auth subcommands (login, logout, status, refresh) are exempt from the gate — so a user with an expired or grace-period token can always recover.


    Check status

    gadriel auth status
      ✓ License token cached
      Tenant:        acme
      Email:         you@example.com
      Token name:    laptop
      Portal URL:    https://app.gadriel.ai/acme
      Scopes:        cli, code:scan
      Expires:       never (no expiry)
      Last validated: 2026-07-07 00:00 UTC (1 days ago)
      Status:        active
    

    gadriel auth status reports token validity, expiry, and remaining offline-grace time. (gadriel status shows combined auth + sync status.)


    Refresh

    Force a fresh online validation and refresh the cached token:

    gadriel auth refresh

    Use this after your portal admin changes your seat, scopes, or expiry.


    Log out

    Wipe the cached token (and best-effort revoke it server-side):

    gadriel auth logout

    Offline mode

    Gadriel is built to run without network access. For fully local-only operation — no outbound calls at all — set the offline environment variable:

    export PREFLIGHT_OFFLINE=1

    In offline mode, Gadriel validates the cached token locally within its offline-grace window and skips every network step. This pairs naturally with air-gapped and CI setups; combine it with gadriel code scan --offline to also skip the OSV CVE sync (your coverage will report DEGRADED until you sync a snapshot — see Scan Coverage).


    Next steps

    • Quickstart — scaffold a repo and run your first scan.
    • Configuration — set portal_url, offline_mode, and other keys in ~/.gadriel/config.toml.
    • Privacy — what does and does not leave your machine.