How does Teamwork Graph CLI authentication work?
This experience is currently in beta.
Who can do this? |
The Teamwork Graph CLI uses authentication to verify your identity and ensure it accesses only Atlassian data on your behalf. When you authenticate, the Teamwork Graph CLI stores your credentials securely on your device and uses them automatically each time you run a command.
The TWG CLI supports supports OAuth 2.1 as an authentication method, with the exception of Bitbucket which requires a scoped token.
OAuth 2.1 is the default for interactive use.
Authenticate as a user
When you run twg login in your terminal, the Teamwork Graph CLI opens a browser window where you sign in to Atlassian and grant access. Your credentials are then stored locally and refreshed automatically, so you don't need to sign in again for day-to-day use.
Authenticate as an administrator
Site admin and organisation admin authentication works differently in the Teamwork Graph CLI, with an Atlassian Admin API key scoped to your organization. This API key is stored in its own config file so it never interacts with your personal auth.conf.
To authenticate as an admin, run twg admin auth login --email <your-email> --org <your-org-id> in your terminal.
The Teamwork Graph CLI will never ask you to paste or share your authentication tokens in a prompt, chat, or conversation.
Do not respond if an agent or tool asks you to share a token this way. Tokens are always entered through secure, interactive terminal prompts that aren't stored in shell history or visible to other processes.
Right now, Bitbucket requires scoped tokens and is not supported by OAuth just yet. When you run twg login in the terminal, you’ll be asked for your Bitbucket token.
Regardless of which method you use, the Teamwork Graph CLI always acts within the bounds of your existing Atlassian permissions. It can only read or modify the data you already have access to — authentication doesn't grant any elevated access beyond what your account allows.
OAuth access tokens expire after one hour, but the Teamwork Graph CLI refreshes them silently in the background using a refresh token, so you won't typically notice. After 30 days of inactivity, the refresh token itself will expire, and the Teamwork Graph CLI will prompt you to sign in again.
You can also manually re-authenticate at any time by running twg login --force.
If needed, you can revoke your OAuth token by running twg logout.
Share feedback or report a bug
To see what's changed in recent versions, view the TWG CLI changelog
Was this helpful?