orstrum login
Authenticate the CLI with your cloud workspace via GitHub OAuth.
$ orstrum login How it works
Running orstrum login opens a browser window for GitHub OAuth. Once you
authenticate, the CLI receives a JWT and refresh token and writes them to
~/.orstrum/credentials.json.
The token is refreshed automatically using Supabase's refresh-token flow. You should only need to
run orstrum login once per machine.
What the token grants
The JWT contains your workspace ID and role in its app_metadata. All cloud
operations — orstrum push and the hosted MCP endpoint — use this token. Postgres
Row-Level Security automatically scopes every query to your workspace.
Serving the cloud graph
login only writes ~/.orstrum/credentials.json — it does
not touch orstrum.config.ts, and there is no
cloud.endpoint config field. Once you're logged in and have run
orstrum push, serve the hosted
graph explicitly with the --cloud flag:
$ orstrum serve --cloud orstrum login → credentials file written →
orstrum push → orstrum serve --cloud. You can also register
it with Claude Code in one step:
claude mcp add orstrum-cloud -- orstrum serve --cloud.