Authentication (Login)

To start with launch a first manual sync:

dcli sync

Authenticating to your personal vault requires your email. You will be then asked to validate a second factor to register the CLI to your account.

Supported primary authentication methods

  • Master Password
  • SSO (self-hosted)
  • Confidential SSO (using Nitro Enclaves)
Password-Less authentication is not supported yet.

Requirements for SSO authentication

You must have:

  • the latest Chrome browser (opens in a new tab) installed on your machine
  • a visual interface to be able to authenticate in the browser
  • a machine that has a keychain (macOS, Windows, Linux with libsecret installed for instance)

The CLI will open a new incognito tab to authenticate you to your SSO provider.

Supported 2FA methods

  • Email code validation (default)
  • TOTP code validation (via an authenticator app)
  • DUO push notification

By completing the device registration process, you'll be now asked to enter your Master Password.

Lock the CLI

You can lock the CLI at any time by running:

dcli lock

This will require you to enter your Master Password again to unlock the CLI.


Save Master Password

By default your Master Password will be saved locally in the OS keychain so you don't have to enter it every time. You can disable this behavior with the following command:

dcli configure save-master-password false

Unlock with Biometrics

You can unlock the CLI with your biometrics (Touch ID, Face ID) if your machine supports it (only macOS for now).

dcli configure user-presence --method biometrics

And to disable it:

dcli configure user-presence --method none