Authentication
Spark CLI supports multiple authentication methods. Choose the one that fits your workflow.
OAuth login (recommended)
spark loginThis opens your browser for an OAuth PKCE flow. After you authorize, credentials are stored securely in your system keychain. No secrets touch disk in plaintext.
This is the recommended method for local development.
All authentication methods
spark loginOpens your default browser. Completes an OAuth 2.0 PKCE flow and stores tokens in your system keychain. Tokens refresh automatically.
Creating an API key
- Go to spark.memco.ai/dashboard (opens in a new tab)
- Navigate to Settings > API Keys
- Click Create Key, give it a name, and copy the value
- Store the key securely — it is shown only once
API keys start with sk_live_ (production) or sk_test_ (sandbox).
Credential priority order
When multiple credentials are present, Spark uses this priority:
| Priority | Method | Use case |
|---|---|---|
| 1 (highest) | --api-key CLI flag | One-off commands |
| 2 | SPARK_API_KEY env var | CI/CD pipelines |
| 3 | OAuth tokens | Local development |
| 4 (lowest) | Legacy API key file | Backward compatibility |
If a higher-priority credential is present, lower-priority credentials are ignored.
Security
- All API traffic uses HTTPS only. Spark CLI refuses to send credentials over plain HTTP.
- Local credential files are created with 0o600 permissions (owner read/write only).
- OAuth tokens are stored in your system keychain (macOS Keychain, Linux secret service, Windows Credential Manager).
- API keys can be revoked immediately from the dashboard.
Verify authentication
spark statusA successful output shows your authenticated identity:
Spark CLI v1.x.x
Status: connected
User: you@example.com
Network: publicNext steps
Now that you are authenticated, run your first query.