Skip to main content

Documentation Index

Fetch the complete documentation index at: https://authsome.mbajaj.me/llms.txt

Use this file to discover all available pages before exploring further.

Authsome is a local credential layer for AI agents. You authenticate once with a provider (GitHub, Google, OpenAI, Linear, and more) and authsome keeps the credentials fresh for every agent run that follows. 
pip install authsome
authsome login github
authsome run -- python my_agent.py

Why agents need this

Agents run outside interactive sessions: in CI, over SSH, in cron jobs, in background workers, or in parallel pipelines. They need API access that survives without a human in the loop. Hardcoded environment tokens leak or go stale. Building auth flow logic, token storage, refresh handling, and per-provider config into every project rebuilds the same plumbing every time. Authsome is the local credential layer agents call at runtime.
  • No credential sprawl. One encrypted store — every provider, every agent, one place.
  • No SaaS, no privacy trade-off. Credentials never leave your machine.
  • No browser required at runtime. Setup uses browser PKCE, device code, or a browser bridge for secure API key entry. After that, agents run headlessly.

How it works

The CLI is the agent’s interface. Set up once, then inject fresh credentials whenever a tool runs. Credentials are stored locally in an encrypted SQLite vault, refreshed before expiry, and injected into agents either as environment variables (authsome export) or transparently through a local proxy (authsome run). No server. No account. No cloud.

Start here

Quickstart

Install authsome, log in to your first provider, and run an agent in under 5 minutes.

CLI reference

Every command, every flag, every exit code.

Architecture

The five layers: identity, policy, vault, auth, audit — and the proxy that ties them together.

Custom providers

Add any OAuth2 or API-key service that authsome doesn’t ship out of the box.

Pick your path

Log in with OAuth

Browser-based PKCE flow for services like GitHub, Google, Linear.

Use API keys

Secure browser bridge for OpenAI, Anthropic, and similar providers.

Run agents with the proxy

Inject auth headers without exposing raw secrets to the child process.

Headless setup

Authenticate over SSH or in CI with the device code flow.

Authsome compared

authsomeHardcoded env tokensDIY
Automatic token refreshYesNoBuild it
OAuth2 + API keysYesNoBuild it
Runtime headless useYesYesVaries
Local — no SaaS dependencyYesYesYes
Built-in providers, zero configYesNoNo
Multi-account per providerYesNoBuild it