CLI
Login and Logout
Authenticate the CLI against Shelve and manage stored credentials.
Login
terminal
shelve login
shelve login --no-browser
shelve login --with-token
shelve login --token "$SHELVE_TOKEN"
By default, shelve login starts a device authorization flow (similar to Vercel or GitHub CLI):
- The CLI opens your browser to Shelve (or prints a URL and short code).
- Sign in if needed, then click Authorize CLI.
- Shelve creates a revocable API token named
CLI — <hostname>(90-day expiry, full read/write) and the CLI stores it locally.
You can revoke CLI tokens anytime from app.shelve.cloud/user/tokens. Tokens are scopeable, expiring, and IP-bound when created manually from the dashboard.
Options
token
string
API token (skips device login).
SHELVE_TOKEN is also accepted without running login.with-token
boolean
Prompt for a pasted API token instead of browser login.
no-browser
boolean
Do not open a browser; print the authorization URL and user code only.
Where the token is stored
- OS keychain — Keychain (macOS), Credential Vault (Windows), Secret Service / GNOME Keyring (Linux) via
@napi-rs/keyring. - XDG file fallback —
$XDG_CONFIG_HOME/.shelve(typically~/.config/.shelve), mode0600, when the keychain is unavailable.
Legacy
~/.shelve is migrated automatically on first read with v5+.Me
terminal
shelve me
shelve --json me
Human mode prints the logged-in username and email. JSON mode returns { "loggedIn": true, "username", "email" } or { "loggedIn": false }.
Logout
terminal
shelve logout
shelve --json logout
Clears the keychain entry and XDG config. JSON returns { "loggedOut": true }.
Non-interactive environments
Skip shelve login in CI and agents — set SHELVE_TOKEN directly:
terminal
SHELVE_TOKEN="$SHELVE_TOKEN" shelve --non-interactive run -- pnpm test
The CLI reads SHELVE_TOKEN before the keychain. Pair with scoped, expiring tokens for least privilege.
Never commit
SHELVE_TOKEN. Use your CI provider's secrets store.Multiple accounts
One account per machine. To switch: shelve logout, then shelve login again.