Skip to content

Authentication

tracker auth login

tracker auth login [--server URL] [--use-device-code]

Authenticate against a tracker server. Opens your browser for Google OAuth, exchanges the resulting ID token for a tracker Personal Access Token (PAT), and stores everything in ~/.tracker.yaml.

Defaults to the pltf-dev tracker. Pass --server to target a different instance.

Headless machines

On machines without a browser (EC2, SSH sessions), use the device code flow:

tracker auth login --use-device-code

This prints a URL and a short code. Visit the URL on any device with a browser, enter the code, and complete Google sign-in. The CLI picks up the result automatically.

tracker auth status

tracker auth status [--offline]

Show current authentication state: user, server, token expiry, and whether the token is still valid.

By default, verifies with the server via a lightweight API call. Use --offline to skip the server check and show only local config info.

$ tracker auth status
User:    jsmith@natera.com
Server:  https://tracker.292967571998.natera.io
Expires: 2026-07-23T14:30:00+00:00 (89d remaining)
Status:  valid
Token:   cli

Token refresh

Tokens expire after 90 days. The CLI auto-refreshes them transparently — when a PAT is near expiry (within 24 hours), the CLI uses a stored Google refresh token to obtain a new one before making the request. If auto-refresh fails (e.g., Google access revoked), the CLI prompts you to re-login.

Auto-refresh is disabled when the TRACKER_TOKEN environment variable is set, since env-var tokens are managed externally.

Service accounts (CI, automation)

For CI pipelines and automated systems, use a service account PAT instead of interactive login. Request one from a platform admin, then set it as a CI variable:

export TRACKER_TOKEN=pat_...
tracker run https://gitlab.natera.com/org/pipeline.git -r main --outdir s3://bucket/out
tracker wait RUN_NAME

No tracker auth login or config file is needed — TRACKER_TOKEN is sufficient. Optionally set TRACKER_SERVER if the CI environment targets a non-default tracker instance.