orstrum login

Authenticate the CLI with your cloud workspace via GitHub OAuth.

$ orstrum login

How it works

Running orstrum login opens a browser window for GitHub OAuth. Once you authenticate, the CLI receives a JWT and refresh token and writes them to ~/.orstrum/credentials.json.

The token is refreshed automatically using Supabase's refresh-token flow. You should only need to run orstrum login once per machine.

What the token grants

The JWT contains your workspace ID and role in its app_metadata. All cloud operations — orstrum push and the hosted MCP endpoint — use this token. Postgres Row-Level Security automatically scopes every query to your workspace.

Serving the cloud graph

login only writes ~/.orstrum/credentials.json — it does not touch orstrum.config.ts, and there is no cloud.endpoint config field. Once you're logged in and have run orstrum push, serve the hosted graph explicitly with the --cloud flag:

$ orstrum serve --cloud
The typical flow is: orstrum login → credentials file written → orstrum pushorstrum serve --cloud. You can also register it with Claude Code in one step: claude mcp add orstrum-cloud -- orstrum serve --cloud.