Authentication
Authentication
Section titled “Authentication”atlcli supports authentication for both Atlassian Cloud and Server/Data Center installations, with multiple profiles for different instances.
Quick Start
Section titled “Quick Start”# Initialize credentials (interactive)atlcli auth init
# Check current statusatlcli auth status
# List all profilesatlcli auth listCloud vs Server/Data Center
Section titled “Cloud vs Server/Data Center”atlcli supports both Atlassian deployment types with different authentication methods:
| Deployment | Auth Method | Token Type |
|---|---|---|
Cloud (*.atlassian.net) | Basic Auth | API Token |
| Server / Data Center | Bearer Auth | Personal Access Token (PAT) |
Cloud instances use your email address and an API token for authentication. This is the default mode.
Server/Data Center instances use Bearer authentication with a Personal Access Token (PAT). Use the --bearer flag when logging in.
API Tokens
Section titled “API Tokens”Creating a Token
Section titled “Creating a Token”- Visit Atlassian Account Settings
- Click Create API token
- Enter a label (e.g., “atlcli”)
- Copy the generated token immediately (it won’t be shown again)
Token Permissions
Section titled “Token Permissions”API tokens inherit your account permissions. For atlcli to work fully, your account needs:
- Confluence: Space admin or contributor permissions
- Jira: Project access for issues you want to manage
Auth Commands
Section titled “Auth Commands”Initialize (Interactive)
Section titled “Initialize (Interactive)”Interactive setup that prompts for all credentials:
atlcli auth initatlcli auth init --profile workLogin (Non-Interactive)
Section titled “Login (Non-Interactive)”Login with credentials provided via flags or environment.
Cloud (Default)
Section titled “Cloud (Default)”atlcli auth login --site https://company.atlassian.net --email you@company.com --token YOUR_TOKENatlcli auth login --profile work --site https://work.atlassian.netServer/Data Center
Section titled “Server/Data Center”Use the --bearer flag for PAT authentication:
# With token provided directlyatlcli auth login --bearer --site https://jira.company.com --token YOUR_PAT
# With keychain lookup (macOS)atlcli auth login --bearer --site https://jira.company.com --username myuserOptions:
| Flag | Description |
|---|---|
--site | Atlassian instance URL |
--email | Account email (Cloud) |
--token | API token (Cloud) or PAT (Server/DC) |
--bearer | Use Bearer auth with PAT (for Server/DC) |
--username | Username for keychain lookup (Server/DC) |
--profile | Profile name to create/update |
Status
Section titled “Status”Check current authentication status:
atlcli auth statusOutput:
Profile: work (active)Site: https://company.atlassian.netEmail: you@company.comStatus: Authenticated ✓List Profiles
Section titled “List Profiles”atlcli auth listOutput:
PROFILE SITE EMAIL ACTIVEdefault https://company.atlassian.net you@company.comwork https://work.atlassian.net work@company.com ✓personal https://personal.atlassian.net me@gmail.comSwitch Profile
Section titled “Switch Profile”Change the active profile:
atlcli auth switch workatlcli auth switch personalRename Profile
Section titled “Rename Profile”atlcli auth rename old-name new-nameLogout
Section titled “Logout”Clear credentials but keep the profile (for easy re-login):
atlcli auth logoutatlcli auth logout workDelete Profile
Section titled “Delete Profile”Remove a profile entirely:
atlcli auth delete old-profileatlcli auth delete old-profile --delete-keychain # macOS onlyWhen deleting a profile with a keychain-backed token, use --delete-keychain to remove the stored credentials. Without it, keychain credentials (if any) are left intact.
Profiles
Section titled “Profiles”Default Profile
Section titled “Default Profile”Initialize the default profile:
atlcli auth initEnter your instance URL, email, and API token when prompted.
Named Profiles
Section titled “Named Profiles”Create profiles for multiple instances:
atlcli auth init --profile workatlcli auth init --profile personalatlcli auth init --profile client-acmeUse a profile with any command:
atlcli jira search --assignee me --profile workatlcli wiki docs pull ./docs --profile client-acmePer-Command Override
Section titled “Per-Command Override”# Use specific profile for one commandatlcli wiki page list --space TEAM --profile workToken Storage
Section titled “Token Storage”Config File
Section titled “Config File”Credentials are stored at ~/.atlcli/credentials.json:
{ "currentProfile": "work", "profiles": { "default": { "name": "default", "baseUrl": "https://company.atlassian.net", "email": "you@company.com", "apiToken": "ATATT3x..." }, "work": { "name": "work", "baseUrl": "https://work.atlassian.net", "email": "work@company.com", "apiToken": "ATATT3x..." } }}For Server/Data Center profiles using Bearer auth, the profile includes authType: "bearer" and may include a username for keychain lookup.
Mac Keychain (macOS)
Section titled “Mac Keychain (macOS)”On macOS, you can store tokens securely in the system Keychain instead of the config file. When you provide a --username during login, atlcli stores the token in Keychain and looks it up automatically:
# Store token in Keychain during loginatlcli auth login --bearer --site https://jira.company.com --username myuser --token YOUR_PAT
# Token is now stored in Keychain - subsequent logins can use keychain lookupatlcli auth login --bearer --site https://jira.company.com --username myuserThe token is stored with:
- Service:
atlcli - Account: Your username
Token Resolution Priority
Section titled “Token Resolution Priority”Tokens are resolved in this order (first found wins):
ATLCLI_API_TOKENenvironment variable- Mac Keychain (if username is configured in profile)
- Config file (
~/.atlcli/credentials.json)
Checking Token Source
Section titled “Checking Token Source”Use --json to see where your token is coming from:
atlcli auth status --jsonThe output includes:
hasEnvToken: Token is set via environment variablehasKeychainToken: Token is available from KeychainhasPatInConfig: Token is stored in config file
Environment Variables
Section titled “Environment Variables”Override credentials with environment variables:
| Variable | Description |
|---|---|
ATLCLI_SITE | Atlassian instance URL |
ATLCLI_EMAIL | Account email (Cloud) |
ATLCLI_API_TOKEN | API token (Cloud) or PAT (Server/DC) |
ATLCLI_PROFILE | Default profile name |
Environment variables take precedence over config files:
export ATLCLI_SITE="https://ci.atlassian.net"export ATLCLI_EMAIL="ci@company.com"export ATLCLI_API_TOKEN="$CI_ATLASSIAN_TOKEN"atlcli jira search --jql "project = PROJ"Precedence
Section titled “Precedence”Credentials are resolved in this order (later wins):
- Default profile in config
ATLCLI_PROFILEenvironment variableATLCLI_SITE/ATLCLI_EMAIL/ATLCLI_API_TOKENenv vars--profilecommand flag
CI/CD Usage
Section titled “CI/CD Usage”For CI/CD pipelines, use environment variables or secrets:
GitHub Actions
Section titled “GitHub Actions”- name: Search Jira env: ATLCLI_SITE: ${{ secrets.ATLASSIAN_URL }} ATLCLI_EMAIL: ${{ secrets.ATLASSIAN_EMAIL }} ATLCLI_API_TOKEN: ${{ secrets.ATLASSIAN_TOKEN }} run: atlcli jira search --jql "fixVersion = ${{ github.ref_name }}"GitLab CI
Section titled “GitLab CI”jira-update: script: - atlcli jira issue transition --key $ISSUE_KEY --to Done variables: ATLCLI_SITE: $ATLASSIAN_URL ATLCLI_EMAIL: $ATLASSIAN_EMAIL ATLCLI_API_TOKEN: $ATLASSIAN_TOKENJenkins
Section titled “Jenkins”environment { ATLCLI_SITE = credentials('atlassian-url') ATLCLI_EMAIL = credentials('atlassian-email') ATLCLI_API_TOKEN = credentials('atlassian-token')}Docker
Section titled “Docker”docker run -e ATLCLI_SITE -e ATLCLI_EMAIL -e ATLCLI_API_TOKEN atlcli jira searchTroubleshooting
Section titled “Troubleshooting”Invalid Credentials
Section titled “Invalid Credentials”Error: Authentication failed (401)- Verify your API token hasn’t expired
- Check the instance URL includes
https:// - Confirm email matches your Atlassian account
- Re-initialize:
atlcli auth init
Permission Denied
Section titled “Permission Denied”Error: You don't have permission (403)- Check your account has access to the project/space
- For Jira, verify project permissions
- For Confluence, verify space permissions
Wrong Profile
Section titled “Wrong Profile”# Check which profile is activeatlcli auth status
# Switch if neededatlcli auth switch correct-profileToken Expired
Section titled “Token Expired”Atlassian API tokens can expire. Regenerate and update:
# Generate new token at https://id.atlassian.com/manage-profile/security/api-tokens# Then updateatlcli auth init --profile workServer/Data Center Auth Failures
Section titled “Server/Data Center Auth Failures”Error: Authentication failed (401)For Server/Data Center instances:
- Verify you used
--bearerflag when logging in - Check that your PAT hasn’t expired (Server/DC PATs have expiration dates)
- Confirm the PAT has the required permissions in your Atlassian admin settings
- Ensure the instance URL is correct and accessible
To re-authenticate:
atlcli auth login --bearer --site https://jira.company.com --token YOUR_NEW_PATKeychain Issues (macOS)
Section titled “Keychain Issues (macOS)”If Keychain lookup fails:
- Verify the token was stored:
security find-generic-password -s atlcli -a <username> - Re-store the token:
atlcli auth login --bearer --site <url> --username <user> --token <pat> - Check Keychain Access app for any access issues
Related Topics
Section titled “Related Topics”- Getting Started - Initial setup and first commands
- Configuration - Config file options
- Doctor - Diagnose authentication issues