Log in to the DNSimple CLI from Your Browser
Simone Carletti
on
You asked, we listened. The DNSimple CLI now lets you log in and authorize your account straight from your browser, with no API token to generate or paste.
Last month we announced the DNSimple CLI, a single binary that wraps our API and lets you access, manage, and troubleshoot your DNS and domain information directly from your terminal or your preferred agentic tool. The reaction was overwhelmingly positive, and we are grateful for all the feedback you sent our way.
The feature set matched what most of you expected, but one request kept coming up: the ability to log in interactively, without first generating an API token by hand and pasting it into the CLI. We worked around the clock to make it happen, across both our main application and the CLI itself, and I am happy to announce that interactive browser login is available today in DNSimple CLI 0.10.
A bit of context
We did not ship this in the earliest versions of the CLI for a simple reason: our OAuth 2.0 implementation was not yet compatible with the flow that interactive login requires.
The traditional OAuth flow assumes the application connecting to your account can keep a secret. That holds for a confidential client, such as one web service talking to another, where the secret lives safely on a server. A CLI is different. It runs on your machine, and everyone who installs it gets the same binary, so there is no secret it can keep. Clients like these, including CLIs and mobile apps, are known as public (or non-confidential) clients.
The answer is the OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange). Instead of a stored secret, the CLI generates a fresh, single-use secret for each login and proves it owns that secret when it exchanges the authorization code for a token. We pair it with a loopback redirect: a tiny local listener on 127.0.0.1 that catches the browser redirect and hands the token back to the CLI.
Building this properly would have delayed the launch by a month or two, and we could not resist getting the CLI into your hands. So we shipped first with the classic API token, and circled back to interactive login as soon as the groundwork was in place.
How to log in
Browser login is the default in 0.10. Run dnsimple auth login, and the CLI opens your browser to the DNSimple authorization page:
$ dnsimple auth login
Opening your browser to authorize the DNSimple CLI...
Waiting for the authorization to complete in the browser.
Success! You're now logged in to DNSimple as you@example.com.
Context "production" (production, account 1010) is now active.
Approve the request in the browser, and you are done. There is no token to copy: the CLI receives it directly and stores it for you.
If you prefer the classic approach, authenticate with an API token by passing --with-token and pasting it when prompted:
$ dnsimple auth login --with-token
Follow the instructions at https://support.dnsimple.com/articles/api-access-token/ to generate an API token.
Paste your API token:
Success! You're now logged in to DNSimple as you@example.com.
Context "production" (production, account 1010) is now active.
In a non-interactive environment, such as a script or a CI job, there is no browser to open, so the CLI reads a token from standard input automatically: echo "$DNSIMPLE_TOKEN" | dnsimple auth login.
Already using the CLI?
If you are already authenticated with a token from an earlier version, the easiest path is to log out and log back in:
$ dnsimple auth logout
Removed context "production"
No contexts remain.
$ dnsimple auth login
Opening your browser to authorize the DNSimple CLI...
Waiting for the authorization to complete in the browser.
Success! You're now logged in to DNSimple as you@example.com.
Context "production" (production, account 1010) is now active.
Tip
Once you have switched to browser login, you can safely delete the API token you generated by hand from your account settings. The CLI no longer needs it.
Logging in to sandbox
The new login works against our sandbox environment exactly as it does in production. Add the --sandbox flag:
$ dnsimple auth login --sandbox
Opening your browser to authorize the DNSimple CLI...
Waiting for the authorization to complete in the browser.
Success! You're now logged in to DNSimple as you@example.com.
Context "sandbox" (sandbox, account 1010) is now active.
Try it out
Interactive browser login is available today in DNSimple CLI 0.10. If you already have the CLI installed, upgrade to the latest version and run dnsimple auth login. If you are new to it, the installation guide will get you set up in a minute, and the source is on GitHub, where issues and pull requests are always welcome.
This feature exists because you asked for it, so please keep the feedback coming. If you hit a snag or have an idea for what we should build next, get in touch. We'd love to hear from you.
If you're not using DNSimple yet, give us a try free for 30 days and manage your domains and DNS from the terminal, no token wrangling required.
Simone Carletti
Italian software developer, a PADI scuba instructor and a former professional sommelier. I make awesome code and troll Anthony for fun and profit.
We think domain management should be easy.
That's why we continue building DNSimple.
