Skip to main content

Overview

Lua CLI requires authentication to access the platform and deploy skills. API keys are resolved from environment variables, a local credentials file, or a .env file — no system keychain is required.

Commands

configure

Set up authentication

key

Display stored key

logout

Remove credentials

lua auth configure

Set up API key authentication. 
lua auth configure

Authentication Methods

Non-Interactive Authentication

Both methods support fully non-interactive flows for CI, scripts, and AI IDEs: 
# Direct API key (one shot)
lua auth configure --api-key "lk_xxx..."

# Email OTP — request a code
lua auth configure --email [email protected]
# (CLI prints "Check your email for a 6-digit code.")

# Email OTP — verify and store
lua auth configure --email [email protected] --otp 123456
OptionDescription
--api-key <key>Set API key directly. Best for CI/CD where you already have a key from the dashboard.
--email <email>Request an OTP to be sent to this email. Step 1 of the OTP flow.
--otp <code>Verify the 6-digit code from email and generate an API key. Step 2 of the OTP flow (combine with --email).
For CI/CD where you can’t read email, prefer --api-key (or set LUA_API_KEY directly — see below). The OTP flow is intended for first-time setup on developer machines, including AI IDEs that can poll for completion.

Where Credentials Are Stored

Credentials are stored in a plain-text file with owner-only permissions (0600): 
~/.lua-cli/credentials
This file is created automatically by lua auth configure. It is never committed to version control and is only readable by your user account — the same security model used by tools like kubectl, gh, and aws configure.
Never commit API keys to version control or share them publicly!

Environment Variable Authentication

For CI/CD, Docker, and headless servers, set the LUA_API_KEY environment variable directly — no credentials file needed: 
export LUA_API_KEY=your-api-key
The environment variable always takes priority over the credentials file. 
export LUA_API_KEY=your-api-key
lua push
Add to ~/.zshrc or ~/.bashrc for persistence.

Key Resolution Order

The CLI checks sources in this priority order:
PrioritySourceBest for
1LUA_API_KEY env varCI/CD, Docker, headless servers
2~/.lua-cli/credentialsLocal development
3.env fileLocal development fallback

lua auth key

Display your stored API key. 
lua auth key

Security Confirmation

For security, you must confirm before displaying the key: 
$ lua auth key
? This will display your API key. Are you sure you want to continue? Yes
🔑 Your API key:
api_abc123def456...
Use --force to skip the confirmation prompt (useful in scripts): 
lua auth key --force

Use Cases

  • Copying to another machine: Get key to set up elsewhere
  • CI/CD configuration: Copy key for automated deployments
  • Verification: Confirm which key is currently configured

lua auth logout

Delete the stored credentials file. 
lua auth logout

Confirmation Required

$ lua auth logout
? Are you sure you want to delete your API key? This action cannot be undone. Yes
 API key deleted successfully.
Use --force to skip the confirmation: 
lua auth logout --force

What Happens

1

Credentials File Removed

~/.lua-cli/credentials is deleted
2

CLI Access Lost

You’ll need to run lua auth configure or set LUA_API_KEY to use the CLI again
3

Key Still Valid on Server

The key is NOT invalidated on the server — it just removes the local copy
After logout, the key still works if used elsewhere (e.g. as an env var). To fully revoke access, regenerate a new key from the admin dashboard.

Troubleshooting

Error: No API key found.Solution: Authenticate using one of:
lua auth configure          # Interactive setup (stores in ~/.lua-cli/credentials)
export LUA_API_KEY=your-key # Environment variable
echo "LUA_API_KEY=key" >> .env  # .env file
Problem: Didn’t receive OTP emailSolutions:
  1. Check spam/junk folder
  2. Wait a few minutes (can take up to 5 min)
  3. Try again with lua auth configure
  4. Use API Key method instead
Error: ❌ Invalid OTP codeSolutions:
  • Double-check the code from email
  • OTP expires after 10 minutes
  • Request new OTP by running command again
Error: ❌ Authentication failedSolutions:
  • Verify you copied the complete key
  • Check key hasn’t been revoked
  • Ensure no extra spaces
  • Generate new key via email method
Previous versions stored credentials in the OS keychain (via keytar). Starting in v3.9.0, credentials are stored in ~/.lua-cli/credentials.One-time migration step:
lua auth configure
Or set the environment variable directly:
export LUA_API_KEY=your-api-key

Best Practices

Recommended for individual developers — automatic key management, no manual key to remember.
Inject the key as an environment variable or secret. No credentials file needed, no native dependencies.
# GitHub Actions
env:
  LUA_API_KEY: ${{ secrets.LUA_API_KEY }}

# Docker
docker run -e LUA_API_KEY=your-key my-image lua push
  • Don’t commit .env to git (add to .gitignore)
  • Don’t share in chat or email
  • Use lua auth logout when done on shared machines
  • Rotate keys regularly
LUA_TELEMETRY=false lua push
Or set LUA_TELEMETRY=false in your CI environment variables.

Next Steps

Initialize Project

Create your first skill after authentication

Deploy Commands

Deploy primitives to production