Skip to main content

Authentication

Cody CLI supports three authentication paths. You can start coding with zero signup and upgrade later.

1. Auto-Provisioning (Zero Signup)

The fastest way to start — no account, no email, no credit card:

npm install -g @ainative/cody-cli
cody

On first run, a temporary token (tmp_ prefix) is auto-provisioned. You get immediate access to free-tier models. Temporary tokens have a TTL — upgrade to a full account to keep your data and unlock paid models.

2. OAuth 2.1 + PKCE (Full Account)

The recommended path for paid subscribers:

cody login

This opens your browser to ainative.studio/oauth/authorize. Authorize the Cody CLI application and the token is stored locally. Tokens auto-refresh — no manual re-login needed.

3. API Key (BYOK)

Get an API key from your AINative dashboard. Keys use the sk_ prefix.

Environment variables

export ANTHROPIC_API_KEY=sk_your_key
export ANTHROPIC_BASE_URL=https://api.ainative.studio

Inline flag

cody --api-key sk_your_key

Settings file

Add to ~/.cody/settings.json:

{
"apiKey": "sk_your_key"
}
API Key Format

AINative API keys use the sk_ prefix. Keys with sk-ant- prefix are for direct upstream access and will not work with the AINative gateway.

Subscription Tiers

TierModelsFeatures
Freedeepseek-4-flash, kimi-k2, qwen3-coder-flash, llama-3.3-70bAll tools, 5-level agents, MCP servers, memory
Professional+ qwen-coder-32b, glm-5, kimi-k2-thinking+ Priority routing, higher rate limits
Enterprise+ claude-sonnet-4.5, claude-opus-4 (BYOK)+ Agent Cloud, custom MCP hosting

All tiers include: slash commands, auto mode, workflows, code review, security review, PR review, background agents, and persistent memory.

Auth Commands

CommandDescription
cody loginOAuth browser login
cody logoutClear stored credentials
/mcp-login <server>Authenticate an MCP server (in-session)
/mcp-logout <server>Clear MCP credentials (in-session)

Credential Storage

CredentialLocation
OAuth tokens~/.config/cody-cli/credentials.json
API keysEnvironment variable or ~/.config/cody-cli/settings.json

Security

  • Tokens are never logged or sent to telemetry
  • isEssentialTrafficOnly() disables all non-essential data collection
  • OAuth uses PKCE (Proof Key for Code Exchange) to prevent authorization code interception
  • API keys are stored with filesystem permissions only — not in plaintext config files accessible to other users