Authentication
Sign in from the app, the CLI, and agents.
1. App
Sign in to the web app with your email and password. The app maintains your session in the browser automatically.
Go to Login at /login. Enter your email and password and click Sign in. If you do not have an account yet, click Sign up and check your inbox for a confirmation link before signing in.
Not available via the CLI. Use the UI to sign in to the app, or see the CLI device login step below.
On the first tool call from a connected agent, RedCrown triggers OAuth browser consent. Your agent's MCP client will open a browser page where you approve access. The token is stored and reused for subsequent calls from that client.
2. CLI device login
The CLI uses an OAuth device flow so you can authorize from any browser, even if the CLI runs on a remote machine.
Not available via the UI. The CLI logs in from your terminal.
Run redcrown login to start a device-flow session. The CLI prints a short code and opens a verification page in your browser. Approve access there and the CLI stores credentials at ~/.redcrown/credentials.json.
redcrown login
To sign out and remove stored credentials:
redcrown logout
For non-interactive use (CI, scripts), set REDCROWN_TOKEN to a valid access token and the CLI will use it without prompting for a browser flow.
Not applicable to MCP. See the headless agents step below for running agents without a browser.
3. Headless agents
Agents running in CI or other headless environments can authenticate without a browser by exchanging credentials for a dual-audience token via the first-party cli-token route.
Not available via the UI. Headless token exchange is done from the CLI or directly via the API.
A first-party email and password cli-token exchange yields a dual-audience token that authorizes both the REST API and mcp.redcrown.ai, so an agent can drive MCP tools with no browser consent step. Set the resulting token as REDCROWN_TOKEN in your environment before running the agent.
Present the dual-audience bearer token obtained via the cli-token exchange as the Authorization: Bearer header when connecting to mcp.redcrown.ai. No browser consent step is needed. The token carries the MCP audience alongside the API audience, so every tool call is authorized for the full session lifetime of the token.
Last verified .