Layers
Account

CLI Authorization

Authorize the Layers CLI via a browser-based PKCE OAuth flow.

View as Markdown

The layers CLI signs in using a browser-based PKCE OAuth flow. Run:

layers login

The CLI:

  1. Opens your default browser to the sign-in page.
  2. Starts a short-lived local HTTP listener on 127.0.0.1.
  3. Waits for the identity provider to redirect the authorization code back to that listener.
  4. Exchanges the code for an access + refresh token and stores them locally.

If the browser can't be opened automatically, the CLI prints the URL so you can paste it manually.

Force re-authentication

layers login --force

Clears the current credentials and sends you back through the sign-in flow. Useful when switching accounts.

Sign out

layers logout

Removes local credentials.

Current identity

layers whoami

Prints the signed-in email and user ID.

Default org / project

layers orgs list
layers orgs switch <org-id>

layers projects list
layers projects switch <project-id>

Sets the default organization and project used by subsequent CLI commands. If your account only has one org (or one project), layers login auto-sets them for you.

Partner API keys (for server-side use)

For backend integrations and CI/CD, generate a partner API key from Org → Settings → API Keys. The partner API is organization-scoped and does not expire until revoked or rotated. See API Keys.

On this page

Force re-authenticationSign outCurrent identityDefault org / projectPartner API keys (for server-side use)