CLI authentication

Every arena command needs to know who you are. Pick one method and stick with it until you rotate credentials.

ARENA_API_KEY (scripts and CI)

Use this when there is no browser on the machine.

  1. Sign in to Arena in the web app.

  2. Open Profile management from the profile menu → CLI API key.

  3. Click Create CLI API key and copy the full secret from the one-time modal.

  4. Export it in your shell or job config:

export ARENA_API_KEY='arena_pat_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_yoursecret...'

The key is tied to your user. Arena uses your current organization (the org selected in the UI) for permission checks.

Rotate key or Revoke key on the same profile section. After revoke, automation stops until you create a new key or switch to arena login.

Some CLI builds accept --api-key on a single command; the environment variable is the usual choice.

arena login (your laptop)

For day-to-day use on a machine with a browser:

arena login

The CLI opens Keycloak sign-in, then saves a session token locally. Re-run arena login when commands start failing with an auth error (session expired).

Profile copy refers to this as the alternative to ARENA_API_KEY. You do not need both at once for normal use.

Which to use

Situation

Use

Laptop, trying snippets from Agents

arena login

CI, cron, headless runner

ARENA_API_KEY

Key leaked or person leaves

Revoke key in profile, issue a new PAT

When auth fails

Commands may refuse to run if the key is missing, truncated, or revoked.

If arena login worked yesterday but not today, run arena login again.

If problems persist, confirm you are in the right organization in the web app. CLI access follows that membership.