B3n GateKeeper CLI for auth and token management
Project description
B3n GateKeeper CLI
The CLI authenticates through OAuth device authorization and stores tokens in
the OS keyring when available, falling back to a 0600 local credentials file.
It refreshes expired access tokens with the stored refresh token and accepts
B3N_GATEKEEPER_TOKEN or B3N_GATEKEEPER_ACCESS_TOKEN for automation.
b3n-gatekeeper doctor --url https://auth.example.com
b3n-gatekeeper login --url https://auth.example.com
b3n-gatekeeper whoami
b3n-gatekeeper org list
b3n-gatekeeper org switch <org-id> --client-id <client-id> --audience example-api --scope api:read
b3n-gatekeeper session list
b3n-gatekeeper session label <session-id> "Work laptop"
b3n-gatekeeper session revoke <session-id>
b3n-gatekeeper token list
b3n-gatekeeper token create "Local dev key" --scope auth:read --audience gatekeeper-api
b3n-gatekeeper token rotate <token-id>
b3n-gatekeeper token validate gk_xxx --audience gatekeeper-api --scope auth:read
b3n-gatekeeper doctor checks public health, OIDC discovery, JWKS, owner/setup
state, SMTP/dev-mode, management capabilities, and visible clients, projects,
tokens, and sessions.
If --url is omitted, the CLI reads B3N_GATEKEEPER_URL and otherwise defaults to
http://localhost:8000 for local development.
Client Creation
Operators can register public browser/CLI clients or confidential backend/API clients from the CLI:
b3n-gatekeeper client create "Example web" \
https://app.example.com/auth/callback \
example-api \
--url https://auth.example.com \
--client-id example-web \
--public \
--origin https://app.example.com \
--scope "openid profile email auth:read"
Confidential clients return a copy-once secret. To avoid printing that secret to terminal history, logs, or automation output, the CLI requires an explicit new output file and redacts the JSON response:
b3n-gatekeeper client create "Example backend" \
https://api.example.com/auth/callback \
example-api \
--url https://auth.example.com \
--client-id example-backend \
--confidential \
--origin https://api.example.com \
--scope "openid profile email auth:read" \
--secret-output /path/to/private/example-backend.client-secret
The secret output file is created with 0600 permissions and must not already
exist. Move its contents into the relevant secret store, then remove the local
copy.
Generic GATEKEEPER_* names are intentionally not read by this B3n package so
local automation cannot accidentally reuse credentials from another GateKeeper
installation.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file b3n_gatekeeper-0.1.1.tar.gz.
File metadata
- Download URL: b3n_gatekeeper-0.1.1.tar.gz
- Upload date:
- Size: 9.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
90338182ed9efd4df92148dc6a373cb8f7314b94cc8e054f7a6967d2e35fd235
|
|
| MD5 |
64a33dfbd430918e10c6332b9c482e0e
|
|
| BLAKE2b-256 |
032866320e97c751dc1b02e39498776a462d5cf7250f09a0598694fd9ce995e5
|
Provenance
The following attestation bundles were made for b3n_gatekeeper-0.1.1.tar.gz:
Publisher:
publish-cli.yml on benaiah-ke/b3n-gatekeeper-auth
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
b3n_gatekeeper-0.1.1.tar.gz -
Subject digest:
90338182ed9efd4df92148dc6a373cb8f7314b94cc8e054f7a6967d2e35fd235 - Sigstore transparency entry: 1766179449
- Sigstore integration time:
-
Permalink:
benaiah-ke/b3n-gatekeeper-auth@f235648448c5b876eb08358b76dd953ab70dfd44 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/benaiah-ke
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-cli.yml@f235648448c5b876eb08358b76dd953ab70dfd44 -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file b3n_gatekeeper-0.1.1-py3-none-any.whl.
File metadata
- Download URL: b3n_gatekeeper-0.1.1-py3-none-any.whl
- Upload date:
- Size: 9.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
196657ac4700dc171db0b7308e3a4035e5dc39130dc897e0051d778150f324d5
|
|
| MD5 |
8a0e5a92c7b35d207590370353d94af3
|
|
| BLAKE2b-256 |
f96adee8fad9fae30b9e0194c07f1041c0c1a26939b3d205cd34a87848382afc
|
Provenance
The following attestation bundles were made for b3n_gatekeeper-0.1.1-py3-none-any.whl:
Publisher:
publish-cli.yml on benaiah-ke/b3n-gatekeeper-auth
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
b3n_gatekeeper-0.1.1-py3-none-any.whl -
Subject digest:
196657ac4700dc171db0b7308e3a4035e5dc39130dc897e0051d778150f324d5 - Sigstore transparency entry: 1766179832
- Sigstore integration time:
-
Permalink:
benaiah-ke/b3n-gatekeeper-auth@f235648448c5b876eb08358b76dd953ab70dfd44 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/benaiah-ke
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-cli.yml@f235648448c5b876eb08358b76dd953ab70dfd44 -
Trigger Event:
workflow_dispatch
-
Statement type:
