Authentication

Interactive Login

Sign in with your Wendy account:

wendy auth login

This opens a browser window to complete OAuth. When it finishes, the CLI generates a key pair, issues an mTLS certificate, and stores it in ~/.wendy/config.json. All subsequent cloud and device commands use this certificate automatically — you don't need to do anything else.

The CLI also prints a QR code you can scan with the Wendy iOS app if you prefer to authenticate on your phone.

Logging Out

wendy auth logout

Removes all stored credentials. Commands that require a certificate will fall back to plaintext mode and prompt you to log in again.

Refreshing Certificates

wendy auth refresh-certs

Generates a new key pair and reissues mTLS certificates in place. Run this if your certificates are close to expiry.

Personal Access Tokens

Personal Access Tokens (PATs) are for CI/CD pipelines, automation scripts, and any non-interactive context where browser login isn't possible.

Create a token from the Wendy Cloud dashboard. Tokens look like wnd_pat_... and are used exactly like a logged-in session:

export WENDY_TOKEN=wnd_pat_your_token_here
wendy cloud discover

PATs are scoped to your account and can be revoked from the dashboard at any time.

How It Works

Wendy uses mutual TLS (mTLS) for all authenticated connections. When you log in, your machine gets an X.509 certificate signed by Wendy's PKI. When you connect to a cloud-enrolled device, both sides verify each other's certificates before any data flows.

This means no passwords are transmitted over the wire — authentication is entirely certificate-based.