> ## Documentation Index
> Fetch the complete documentation index at: https://www.ravion.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Sign in to Ravion from the CLI, choose an active organization, and manage stored credentials for scripting and day-to-day operations.

The Ravion CLI authenticates with your Ravion account and stores credentials locally for subsequent commands.

## Sign in

Sign in with:

```bash theme={null}
ravion login
```

By default, `login` uses the device-authorization flow. The CLI prints a URL and a short code, and you approve the sign-in from any browser, including a browser on another device. This works on headless hosts.

## Check your identity

Confirm who you are signed in as:

```bash theme={null}
ravion whoami
```

Add `--json` to get machine-readable output.

## Select an organization

If you belong to more than one organization, choose the active one:

```bash theme={null}
ravion switch
```

This walks through your organizations and persists the selection. Pass `--org <id-or-name>` to skip the interactive picker. Switching organization clears the active workspace, so `ravion terraform` asks you to pick a workspace again.

## Sign out

Clear locally stored credentials:

```bash theme={null}
ravion logout
```

## Credential storage

Credentials are stored under your config directory:

```text theme={null}
${XDG_CONFIG_HOME:-$HOME/.config}/ravion/auth.json
```

## Service accounts and API keys

For automation that should not depend on a person's session, use a service account API key instead of an interactive login. See [`ravion service-account`](/cli/reference/service-account) and [`ravion api-key`](/cli/reference/api-key).

## Non-interactive authentication

Set a credential in the environment to authenticate without `ravion login`. When one of these variables is set, the CLI uses it instead of the stored credentials and skips the device-authorization flow.

| Variable              | Description                                                                                                                |
| --------------------- | -------------------------------------------------------------------------------------------------------------------------- |
| `RAVION_API_KEY`      | An organization-scoped service account API key. Takes precedence over the other variables and over any stored credentials. |
| `RAVION_TOKEN`        | An OAuth access token. Used if `RAVION_API_KEY` is not set.                                                                |
| `RAVION_ACCESS_TOKEN` | Alias for `RAVION_TOKEN`.                                                                                                  |

An API key is scoped to its organization, so you don't run `ravion switch` when you use `RAVION_API_KEY`. This is the recommended way to authenticate in CI. See [CI integration](/config-as-code/ci-integration).

```bash theme={null}
export RAVION_API_KEY=<your-api-key>
ravion whoami
```

## Next steps

<CardGroup cols={2}>
  <Card title="Command reference" icon="terminal" href="/cli/overview">
    Browse every CLI command.
  </Card>

  <Card title="Terraform credentials" icon="layer-group" href="/cli/reference/terraform">
    Run Terraform with Ravion-managed credentials.
  </Card>
</CardGroup>
