CLI Authentication

The Roster CLI supports two authentication modes:

OAuth browser login for humans
API-key bearer auth for automation, CI, and agents

The CLI is MCP-first. Both auth modes authenticate requests to the Roster MCP endpoint.

OAuth Profiles

Use browser login for human terminal sessions:

roster login https://roster.example.com/mcp --name prod
roster auth status
roster resolve "Who should approve the Helios renewal?"

roster login starts a loopback OAuth callback listener, opens the browser unless --no-open is set, uses PKCE, exchanges the authorization code, stores the OAuth profile, and selects it as the current profile.

An OAuth profile stores:

MCP endpoint URL
OAuth client information
granted scopes
access token and refresh token
optional profile alias

API keys are not stored in OAuth profiles.

Profile Storage

Profile storage defaults to:

~/.roster/config.json

Override it with either ROSTER_HOME or --config-dir:

ROSTER_HOME=/secure/roster-home roster auth profiles
roster --config-dir /secure/roster-home auth profiles

Selecting Profiles

Use --profile when you want a specific saved OAuth profile for one command:

roster --profile prod projects list --limit 3

Use roster auth use when you want to make a profile the default:

roster auth use prod
roster projects list --limit 3
roster resolve "Who should approve the Helios renewal?"

Profile selectors can be aliases, MCP URLs, or profile keys.

Auth Precedence

The CLI resolves the MCP endpoint and credentials separately.

MCP endpoint selection precedence is:

--mcp-url
ROSTER_MCP_URL
The MCP URL stored on the --profile profile or selected OAuth profile

Credential selection precedence is:

--api-key
ROSTER_API_KEY
OAuth tokens from the matching saved profile

If --api-key or ROSTER_API_KEY is present, the CLI uses bearer auth instead of OAuth profile tokens.

Use --profile to select a saved OAuth profile. When no explicit MCP URL is provided, that profile also supplies the MCP endpoint URL.

Scope Presets

roster login uses --scope-preset resolve by default.

Preset	Scopes
`resolve`	`openid profile email offline_access mcp:resolve mcp:resolve-requests:read mcp:projects:read mcp:participants:read`
`read`	`resolve` plus `mcp:labels:read mcp:delegations:read`
`manage`	all supported MCP read and write scopes

Add custom scopes with --scope:

roster login https://roster.example.com/mcp \
  --scope-preset read \
  --scope mcp:custom:read

Use read when you need list and get commands across read-only Roster MCP tools. Use manage only when the profile should create, update, or delete Roster resources.

Profile Commands

Check the current auth source:

roster auth status
roster --profile prod auth status

List saved OAuth profiles:

roster auth profiles

Remove only OAuth tokens from a profile:

roster auth logout
roster auth logout prod

Delete the whole profile and any aliases that point to it:

roster auth logout prod --remove

Manage aliases:

roster auth alias set production prod
roster auth alias rm production

Aliases must start with a letter or number and may contain letters, numbers, dots, underscores, or dashes. They cannot be URLs.

API-Key Automation

Use API keys for CI, automation scripts, and agents that should not launch a browser:

ROSTER_API_KEY=rst_... roster --mcp-url https://roster.example.com/mcp \
  resolve "Who should approve the Helios renewal?"

Or pass the key explicitly:

roster --mcp-url https://roster.example.com/mcp \
  --api-key rst_... \
  projects list --json

API keys are never persisted by the CLI.

Agent Usage

Agents should prefer API-key auth, --non-interactive, and --json:

ROSTER_API_KEY=rst_... roster \
  --mcp-url https://roster.example.com/mcp \
  --non-interactive \
  --json \
  call list_projects limit=10

All JSON emitted by the CLI uses snake_case keys, including wrapper keys such as mcp_url, structured_content, error_code, and request_id.