asd auth — authentication stateIdentity and tokens for the tunnel server. Whenever something tunnel-related stops working, this is the first group to check.
asd holds credentials in ~/.config/asd/tunnel/credentials.json
(and respects ASD_TUNNEL_TOKEN from the environment if set). The
auth group inspects, refreshes, and switches between credential
sources.
For first-time login and headless / CI login, see also
cli/login under "Auth & secrets".
| Command | What it does |
|---|---|
asd auth status |
Are the local credentials valid against the tunnel server? Shows expiry. |
asd auth whoami |
Identity (client-id, server, account) for the active credentials. |
asd auth refresh |
Pull a new token from the tunnel server (use when expiry is near). |
asd auth credentials |
List every credential source in priority order with status (env, file, keychain). |
asd auth switch |
Interactive picker for credential sets + tunnel servers (handy when you have several). |
asd auth export |
Print the active credentials as env vars for Docker / CI piping. |
| Goal | Command |
|---|---|
| Did my creds expire? | asd auth status |
| Which client-id am I? | asd auth whoami |
| Force refresh after a 401 | asd auth refresh |
| Switch between dev + work accounts | asd auth switch |
| Pipe creds into a docker container | eval "$(asd auth export)" |
| Debug "which credential is asd using?" | asd auth credentials |
asd auth credentials lists sources in the order asd checks them:
ASD_TUNNEL_TOKEN (env var) — highest priority. Set in CI~/.config/asd/tunnel/credentials.json — persistent fileasd login / asd login key. The default forThe first source that returns a usable credential wins. If you've
got a stale env var set, it'll override your fresh
~/.config/asd/tunnel/credentials.json — asd auth credentials
makes that explicit.
| Symptom | Cause | Fix |
|---|---|---|
asd auth status returns "No credentials found" |
No login has happened on this machine |
asd login (browser) or asd login key <KEY> (headless) |
asd auth status returns "Token expired" |
Token past expiry | asd auth refresh; if it fails, re-login |
auth whoami shows the wrong account |
Stale ASD_TUNNEL_TOKEN env var |
unset ASD_TUNNEL_TOKEN and re-check |
| Routes/tunnels work but show wrong subdomain | auth whoami shows the wrong client-id |
asd auth switch to the correct credential set |
asd login / asd login key — first-time and headless authentication (covered in cli/index § Auth & secrets).cookbook/ci-cd-with-asd — headless auth in CI pipelines.cookbook/debug-a-broken-route — auth as Step 4 of the diagnostic tree.