Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.baseten.co/llms.txt

Use this file to discover all available pages before exploring further.

truss auth [COMMAND] [OPTIONS]
The truss auth command group manages how the Truss CLI authenticates with a Baseten remote. Use it to log in with an API key or via browser-based OAuth, view the active credential for a remote, and log out.

โ€‹
Authentication methods

The CLI supports two authentication methods, and a single trussrc can mix both โ€” one per remote.
  • API key: paste a long-lived API key. Best for CI/CD, scripts, and any non-interactive context.
  • Browser (OAuth): complete an OAuth 2.0 device flow by entering a code on the Baseten website. Best for laptops where you donโ€™t want a long-lived secret on disk.
OAuth tokens refresh automatically before each request, so you donโ€™t have to re-authenticate while the refresh token is valid.

โ€‹
Where credentials are stored

Truss stores credentials in your operating systemโ€™s keyring under the service name baseten-truss whenever a usable backend is available (macOS Keychain, GNOME Keyring, and Windows Credential Manager). Keyring storage works for both API keys and OAuth tokens. If no keyring backend is available โ€” for example, a headless Linux container โ€” Truss falls back to writing the secret inline to ~/.trussrc and prints a one-line warning. To force the inline path silently, set BASETEN_TRUSS_AUTH_KEYRING_DISABLED=1.
On macOS, the first read or write triggers a one-time Keychain prompt. Click Always Allow to make subsequent calls silent.
Existing plaintext [remote] api_key = ... entries in ~/.trussrc continue to work without changes โ€” thereโ€™s no auto-migration.

โ€‹
Remotes

A remote is a named entry in ~/.trussrc that points at a Baseten workspace and stores its credential. The default remote is baseten. You can configure additional remotes (for staging environments, multiple workspaces, and so on) and select one with --remote on most CLI commands. truss auth status and truss auth logout both accept --remote NAME. When only one remote is configured, the flag is optional.

โ€‹
login

Log in to a Baseten remote. 
truss auth login [OPTIONS]
With no flags, the command prompts you to choose between pasting an API key and logging in via browser. In non-interactive contexts, pass --browser or --api-key explicitly. truss login is an alias and accepts the same flags.

โ€‹
Options

โ€‹
--browser
FLAG
Log in via browser using the OAuth device flow. Mutually exclusive with --api-key.
โ€‹
--api-key
TEXT
Authenticate with a Baseten API key. Mutually exclusive with --browser.
โ€‹
--remote
TEXT
default:"baseten"
Name of the remote to create or update in ~/.trussrc. Defaults to baseten.

โ€‹
Examples

Log in interactively and choose a method when prompted: 
truss auth login
You should see: 
๐Ÿ’ป Let's add a Baseten remote!
? How would you like to authenticate?
  Paste an API key
> Log in via browser (OAuth)
Log in non-interactively with an API key: 
truss auth login --api-key $BASETEN_API_KEY
Log in via browser: 
truss auth login --browser
The CLI prints a verification URL and a short code. Open the URL in any browser, enter the code, and approve the request. Once approved, the CLI stores the OAuth tokens and prints: 
๐Ÿ”“ Logged in to remote `baseten`.
Add a non-default remote (for example, a staging workspace): 
truss auth login --browser --remote staging

โ€‹
logout

Log out of a Baseten remote and remove it from ~/.trussrc. For OAuth remotes, this also revokes the refresh token on the backend. 
truss auth logout [OPTIONS]

โ€‹
Options

โ€‹
--remote
TEXT
Remote name to log out of. Inferred when only one remote is configured.

โ€‹
Examples

Log out of the only configured remote: 
truss auth logout
Log out of a specific remote: 
truss auth logout --remote staging
You should see: 
๐Ÿ‘‹ Logged out of remote `staging`.

โ€‹
status

Show the active authentication for a remote โ€” the URL it points at, which method it uses, and where the credential is stored. 
truss auth status [OPTIONS]

โ€‹
Options

โ€‹
--remote
TEXT
Remote name to inspect. Inferred when only one remote is configured.

โ€‹
Examples

Inspect a remote: 
truss auth status --remote baseten
You should see: 
remote: baseten
remote_url: https://app.baseten.co
auth_type: api_key
source: keyring
The source field is one of:
  • keyring: the credential is stored in the OS keyring.
  • trussrc-inline: the credential is stored as plaintext inside ~/.trussrc.
The auth_type field is api_key, oauth, or api_key (legacy plaintext) for entries written by older Truss versions.

โ€‹
Environment variables

โ€‹
BASETEN_API_KEY
TEXT
API key used as a fallback when the active remote has no credentials in ~/.trussrc. Recommended for CI/CD, where setting the env var avoids running truss login before each job.
โ€‹
BASETEN_TRUSS_AUTH_KEYRING_DISABLED
FLAG
Set to 1 to skip the OS keyring and write credentials inline to ~/.trussrc without printing a warning. Useful in containers and headless environments where no keyring backend is available.