logi-cli
Command-line tool for managing the logi Identity Provider from your terminal.
한국어 버전: README.ko.md
Install
Pick whichever feels native:
# Homebrew (macOS)
brew install dcode-co/logi/logi
# RubyGems (anywhere with Ruby ≥ 3.3)
gem install logi-cli
Verify:
logi --version # logi-cli 0.1.0
logi # welcome + sign-in status
logi login # opens browser → sign in → PAK auto-saved
If gem install logi-cli succeeds but which logi is empty on macOS, your gem bin dir isn't on PATH:
echo 'export PATH="$(gem environment gemdir)/bin:$PATH"' >> ~/.zshrc && source ~/.zshrc
Development (from source)
```bash cd cli && bundle install bundle exec bin/logi # Welcome screen + suggested next steps bundle exec bin/logi login # Browser OAuth sign-in bundle exec bin/logi apps list # List your OAuth apps ``` Once installed, add `bin/` to your `PATH` and you can just type `logi`.Commands
| Command | What it does |
|---|---|
logi |
Welcome screen + current sign-in status + suggested next steps |
logi login |
Opens your browser → grant access → issues a PAK automatically |
logi whoami |
Show the signed-in account and PAK |
logi logout |
Delete saved credentials |
logi apps list |
List your OAuth apps |
logi apps show <ID> |
Show app details |
logi apps create --name X -r URL |
Register a new app |
logi apps verify <ID> -r URL |
Check an RP integration (tier / redirect URI / env values) |
logi apps add-redirect <ID> URL |
Add a redirect URI |
logi apps remove-redirect <ID> URL |
Remove a redirect URI |
logi apps rotate-secret <ID> |
Rotate client_secret (owner/admin only) |
logi apps delete <ID> |
Delete an app (owner/admin only) |
logi token inspect <JWT> |
Decode a JWT and verify its signature against JWKS |
Environment variables
| Variable | What it does |
|---|---|
LOGI_API_URL |
API server URL (default https://api.1pass.dev) |
LOGI_PORTAL_URL |
Developer Portal URL (default https://start.1pass.dev) |
LOGI_API_KEY |
Use a PAK directly (handy in CI/CD) |
LOGI_CONFIG_PATH |
Path to the credentials file |
Security
- Credentials are stored with
chmod 600. - Only the first 8 characters of a PAK are ever shown in output or logs.
logi loginuses OAuth 2.0 with PKCE — you only enter your password in the browser.logi logoutwill also revoke the PAK on the server (server-side revocation is coming in a follow-up).
Not yet implemented
test-flow, team, audit-log and a few others are planned for v0.2.
Diagnosing (verify)
When someone integrating an RP says "the redirect never comes back," start here:
logi apps verify $CLIENT_ID -r "https://yourapp.com/auth/callback"
It checks:
- App status (approved / pending)
- Tier (production / sandbox — sandbox apps can't talk to prod domains)
- Whether the redirect URI is registered
- Recommended environment variables for the RP (
LOGI_API_URL/LOGI_CLIENT_ID/LOGI_CLIENT_SECRET)
Full troubleshooting guide: https://docs.1pass.dev/guide/troubleshooting