omi auth login (with no flags) asks how you’d like to authenticate:
$ omi auth loginHow would you like to log in? 1) Browser — sign in with Google or Apple via OAuth (recommended for humans) 2) API key — paste a developer key from app.omi.me (recommended for agents/CI)Choose 1 or 2 [1]: _
Browser (humans)
API key (agents, CI)
Headless / CI
Stdin
omi auth login # pick option 1# or skip the prompt:omi auth login --browser
The CLI starts a localhost callback server on an ephemeral port, opens
your default browser to Omi’s auth page, and waits for the callback.
Sign in with Google (or --provider apple) and you’re back at the
terminal — no copying tokens around.Tokens are stored at ~/.omi/config.toml (file mode 0600). The
short-lived Firebase ID token is auto-refreshed before each request
using the long-lived refresh token.
omi auth login --api-key omi_dev_...
Or interactively (input is hidden — your token never lands in shell
history):
omi auth login # pick option 2
Generate a dev API key in the Omi web app under Developer → API Keys.
Choose the scopes you want — memories:read, memories:write,
conversations:read, etc. The CLI validates the omi_dev_ prefix
client-side so you fail fast on a typo.
export OMI_API_KEY=omi_dev_...
The env var takes effect immediately; no on-disk config needed. The same
prefix validation runs, so a malformed value fails with a clear error
rather than a cryptic 401. Pair with --api-base if you’re targeting a
staging backend.
omi auth login < /path/to/key.txt
Useful when the key lives in a secret manager and you can pipe it in
without ever displaying it. (Browser flow doesn’t work over stdin —
the CLI assumes piped input is an API key.)
Confirm:
omi auth status
omi auth status profile default authenticated ✓ auth_method oauth api_base https://api.omi.me credential eyJhbG…1234 id_token_expires_at 1714142400.0