Authenticate CLI
Use this guide to establish and validate trading-cli authentication before running strategy, backtest, deployment, or validation workflows.
Quickstart
Login (human auth)
export PLATFORM_API_BASE_URL="https://api-nexus.lona.agency"
export PLATFORM_API_BEARER_TOKEN="<jwt-access-token>"
trading-cli health get
Whoami (identity/scope check)
trading-cli bot list
Logout
unset PLATFORM_API_BEARER_TOKEN PLATFORM_API_TOKEN PLATFORM_API_KEY
Bot Auth vs Human Auth
| Use case | Credential | Env var | Notes |
|---|---|---|---|
| Human operator in terminal or CI job with user identity | JWT bearer token | PLATFORM_API_BEARER_TOKEN | Preferred for user-scoped operations and invite acceptance flows. |
| Runtime bot automation | Runtime bot key (tnx.bot.<botId>.<keyId>.<secret>) | PLATFORM_API_KEY | Works for bot actor requests while preserving owner scope in validation flows. |
| Backward compatibility | Bearer token alias | PLATFORM_API_TOKEN | Alias for bearer auth; prefer PLATFORM_API_BEARER_TOKEN for new setups. |
Failure Troubleshooting
Expired Token
Expected error shape:
httpStatus: 401code: "AUTH_UNAUTHORIZED"
Recovery:
- Mint a fresh bearer token from your identity provider.
- Re-export
PLATFORM_API_BEARER_TOKEN. - Re-run:
trading-cli health get
Revoked Token (Bot Key)
Expected error shape:
httpStatus: 401code: "BOT_API_KEY_REVOKED"
Recovery:
- Rotate the bot key:
trading-cli key rotate --bot-id <bot-id> --reason "replace revoked key"
- Update secret storage with the newly issued key.
- Retry the failed command with the new
PLATFORM_API_KEY.
Unauthorized (Missing/Invalid Credential)
Expected error shape:
httpStatus: 401code: "AUTH_UNAUTHORIZED"orcode: "BOT_API_KEY_INVALID"
Recovery:
- Check auth vars:
env | rg '^PLATFORM_API_(BEARER_TOKEN|TOKEN|KEY)='
- Ensure
PLATFORM_API_BASE_URLis set to platform host or local loopback. - Retry with request correlation:
trading-cli bot list --request-id req-cli-auth-check-001