# Authentication

Source: https://redcrown.ai/docs/guides/auth/

Sign in from the app, the CLI, and agents.

## 1. App

Sign in to the web app with your email and password. The app maintains your session in the browser automatically.

**UI**

Go to **Login** at `/login`. Enter your email and password and click **Sign in**. If you do not have an account yet, click **Sign up** and check your inbox for a confirmation link before signing in.

**CLI**

Not available via the CLI. Use the UI to sign in to the app, or see the CLI device login step below.

**MCP**

On the first tool call from a connected agent, RedCrown triggers OAuth browser consent. Your agent's MCP client will open a browser page where you approve access. The token is stored and reused for subsequent calls from that client.

## 2. CLI device login

The CLI uses an OAuth device flow so you can authorize from any browser, even if the CLI runs on a remote machine.

**UI**

Not available via the UI. The CLI logs in from your terminal.

**CLI**

Run `redcrown login` to start a device-flow session. The CLI prints a short code and opens a verification page in your browser. Approve access there and the CLI stores credentials at `~/.redcrown/credentials.json`.

```
redcrown login
```

To sign out and remove stored credentials:

```
redcrown logout
```

For non-interactive use (CI, scripts), set **`REDCROWN_TOKEN`** to a valid access token and the CLI will use it without prompting for a browser flow.

**MCP**

Not applicable to MCP. See the headless agents step below for running agents without a browser.

## 3. Headless agents

Agents running in CI or other headless environments can authenticate without a browser by exchanging credentials for a dual-audience token via the first-party `cli-token` route.

**UI**

Not available via the UI. Headless token exchange is done from the CLI or directly via the API.

**CLI**

A first-party email and password **cli-token** exchange yields a dual-audience token that authorizes both the REST API and `mcp.redcrown.ai`, so an agent can drive MCP tools with no browser consent step. Set the resulting token as `REDCROWN_TOKEN` in your environment before running the agent.

**MCP**

Present the dual-audience bearer token obtained via the cli-token exchange as the `Authorization: Bearer` header when connecting to `mcp.redcrown.ai`. No browser consent step is needed. The token carries the MCP audience alongside the API audience, so every tool call is authorized for the full session lifetime of the token.

Last verified 2026-07-02.
