Authentication
Cody CLI supports three authentication paths. You can start coding with zero signup and upgrade later.
1. Auto-Provisioning (Zero Signup)
The fastest way to start — no account, no email, no credit card:
npm install -g @ainative/cody-cli
cody
On first run, a temporary token (tmp_ prefix) is auto-provisioned. You get immediate access to free-tier models. Temporary tokens have a TTL — upgrade to a full account to keep your data and unlock paid models.
2. OAuth 2.1 + PKCE (Full Account)
The recommended path for paid subscribers:
cody login
This opens your browser to ainative.studio/oauth/authorize. Authorize the Cody CLI application and the token is stored locally. Tokens auto-refresh — no manual re-login needed.
3. API Key (BYOK)
Get an API key from your AINative dashboard. Keys use the sk_ prefix.
Environment variables
export ANTHROPIC_API_KEY=sk_your_key
export ANTHROPIC_BASE_URL=https://api.ainative.studio
Inline flag
cody --api-key sk_your_key
Settings file
Add to ~/.cody/settings.json:
{
"apiKey": "sk_your_key"
}
AINative API keys use the sk_ prefix. Keys with sk-ant- prefix are for direct upstream access and will not work with the AINative gateway.
Subscription Tiers
| Tier | Models | Features |
|---|---|---|
| Free | deepseek-4-flash, kimi-k2, qwen3-coder-flash, llama-3.3-70b | All tools, 5-level agents, MCP servers, memory |
| Professional | + qwen-coder-32b, glm-5, kimi-k2-thinking | + Priority routing, higher rate limits |
| Enterprise | + claude-sonnet-4.5, claude-opus-4 (BYOK) | + Agent Cloud, custom MCP hosting |
All tiers include: slash commands, auto mode, workflows, code review, security review, PR review, background agents, and persistent memory.
Auth Commands
| Command | Description |
|---|---|
cody login | OAuth browser login |
cody logout | Clear stored credentials |
/mcp-login <server> | Authenticate an MCP server (in-session) |
/mcp-logout <server> | Clear MCP credentials (in-session) |
Credential Storage
| Credential | Location |
|---|---|
| OAuth tokens | ~/.config/cody-cli/credentials.json |
| API keys | Environment variable or ~/.config/cody-cli/settings.json |
Security
- Tokens are never logged or sent to telemetry
isEssentialTrafficOnly()disables all non-essential data collection- OAuth uses PKCE (Proof Key for Code Exchange) to prevent authorization code interception
- API keys are stored with filesystem permissions only — not in plaintext config files accessible to other users