Authentication

Spark CLI supports multiple authentication methods. Choose the one that fits your workflow.

OAuth login (recommended)

spark login

This opens your browser for an OAuth 2.0 PKCE flow. After you authorize, an access token and refresh token are written to ~/.spark/settings.json (mode 0o600). Tokens refresh automatically with a 5-minute buffer before expiration.

This is the recommended method for local development.

All authentication methods

spark login

Creating an API key

1. Go to spark.memco.ai/dashboard (opens in a new tab)
2. Navigate to Settings > API Keys
3. Click Create Key, give it a name, and copy the value
4. Store the key securely — it is shown only once

Credential priority order

When multiple credentials are present, Spark uses this priority:

If a higher-priority credential is present, lower-priority credentials are ignored.

Where credentials live

Both files are created with 0o600 permissions (owner read/write). Credentials are keyed by API base URL inside the file, so multiple Spark instances (e.g. self-hosted) coexist cleanly.

Security

• All API traffic uses HTTPS only. Spark CLI refuses to send credentials over plain HTTP.
• Credential files are created with 0o600 permissions (owner read/write only).
• API keys can be revoked immediately from the dashboard.

Verify authentication

spark whoami

A successful output shows your authenticated identity. For a fuller picture (version, IDE skills, organization), use:

spark status

Next steps

Now that you are authenticated, run your first query.