Authentication¶
bnerd uses bearer token authentication to communicate with the CloudAPI. There are several ways to provide your credentials.
Interactive Login (Recommended)¶
The easiest way to authenticate:
This interactive command prompts you for:
- API URL
- Email and password
- Organization selection (if you belong to multiple)
Your token and organization ID are saved to ~/.bnerd.yaml automatically.
Authentication Methods¶
Method 1: Config File¶
Store your credentials in ~/.bnerd.yaml:
File permissions
The config file is created with 0600 permissions (owner read/write only). Keep it that way to protect your token.
Method 2: Environment Variables¶
export BNERD_TOKEN=your-bearer-token
export BNERD_ORG_ID=your-organization-id
export BNERD_API_URL=https://api.bnerd.net
This is ideal for CI/CD pipelines and scripts where you don't want a config file.
Method 3: Command-Line Flags¶
Useful for one-off commands or testing with different credentials.
Precedence¶
When the same setting is provided via multiple methods, bnerd uses this priority:
- CLI flags (highest priority)
- Environment variables
- Config file
- Defaults (lowest priority)
Verify Authentication¶
Check who you're authenticated as:
This shows your current account details and confirms your token is valid.
Required Credentials by Command Type¶
| Command group | Requires token | Requires org-id | Requires project-id |
|---|---|---|---|
accounts me, whoami | Yes | No | No |
organizations list/create | Yes | No | No |
dns, domains, billing | Yes | Yes | No |
members, invitations | Yes | Yes | No |
k8s, servers, volumes | Yes | Yes | Yes |
networks, routers, loadbalancers | Yes | Yes | Yes |
apps | Yes | Yes | Yes |
Tips¶
- Rotate your token periodically — use
bnerd loginto get a fresh one - In CI/CD, use environment variables instead of config files
- Use
--debugto see the actual HTTP requests if authentication fails