Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tolmo.com/llms.txt

Use this file to discover all available pages before exploring further.

Tolmo authenticates you through a browser-based OAuth flow against the Tolmo backend. Once you log in, your credentials are stored in ~/.tolmo/ as a named profile and reused automatically for subsequent commands. For CI/CD pipelines and automated scripts, you can skip the interactive flow entirely and authenticate using environment variables instead.

Interactive login

1

Log in

Run the login command to open a browser window and complete the OAuth flow:
tolmo auth login
Tolmo opens your default browser and waits for you to authenticate. After you approve access, the CLI stores your credentials in ~/.tolmo/ under the default profile.
2

Confirm your session

Verify that authentication succeeded and check which organization is active:
tolmo auth status
The output shows your active profile, the API URL, and the organization slug.
3

Log out when done

To revoke the stored session and remove local credentials:
tolmo auth logout

Named profiles

Named profiles let you maintain separate authenticated sessions for different organizations or environments — for example, a production org and a staging environment — without overwriting your default credentials. Log in to a non-default profile by passing --profile and, optionally, --api-url to target a different backend: 
tolmo auth login --profile staging --api-url https://api.staging.example.com
Once a profile is saved, pass --profile to any command to use it: 
tolmo --profile staging sql "SELECT 1"
To make a non-default profile the active one for your entire shell session, set the TOLMO_PROFILE environment variable: 
export TOLMO_PROFILE=staging
Any subsequent command in that shell will use the staging profile without requiring the --profile flag.

Override organization

If you are logged in but need to run a single command against a different organization within the same profile, use the --org flag: 
tolmo --org other-org sql "SELECT 1"
This override applies only to that command and does not change your stored profile.

CI/CD & automation

Do not use tolmo auth login in CI/CD pipelines. The interactive OAuth flow requires a browser and cannot complete in a non-interactive environment. Use environment variables instead.
Set the following environment variables to authenticate without a stored profile:
VariableDescription
TOLMO_API_URLBackend API base URL. Defaults to the production endpoint when unset.
TOLMO_API_TOKENAPI token. When set, Tolmo skips profile lookup entirely.
TOLMO_ORG_SLUGOrganization slug. Required whenever TOLMO_API_TOKEN is set.
Export these variables in your CI environment or pipeline configuration: 
export TOLMO_API_URL="https://api.tolmo.com"
export TOLMO_API_TOKEN="your-api-token-here"
export TOLMO_ORG_SLUG="your-org-slug"
With these set, any tolmo command authenticates using the token and targets the specified organization, with no profile file required.
Store TOLMO_API_TOKEN as a secret in your CI platform (for example, a GitHub Actions secret or a Vault-injected variable) rather than hard-coding it in pipeline configuration files.

Stored credentials

Tolmo stores your profiles locally in ~/.tolmo/. Each profile contains the API URL and the authentication token for a specific organization and environment. No credentials are stored in your shell history or configuration files — only in ~/.tolmo/. To inspect the currently active profile and confirm which organization you are working in: 
tolmo auth status
The output includes the profile name, the API endpoint, and the active organization slug. Use this command any time you are unsure which context a command will run in.