|
2 | 2 |
|
3 | 3 | ## Quick Start (no GCP setup needed) |
4 | 4 |
|
5 | | -The `wk` binary includes a shared OAuth client via `auth.automagik.dev`. |
6 | | -No GCP console, no credentials.json, no client secrets required. |
| 5 | +The `wk` binary ships with a shared OAuth client via `auth.automagik.dev`. |
| 6 | +**No GCP console, no credentials.json, no client secrets required.** |
7 | 7 |
|
8 | | -**Desktop/laptop:** |
| 8 | +Install: |
| 9 | +```bash |
| 10 | +# Linux amd64 |
| 11 | +curl -sSL https://github.com/automagik-dev/workit/releases/latest/download/workit_linux_amd64.tar.gz | tar xz -C ~/.local/bin |
| 12 | +# macOS arm64 |
| 13 | +curl -sSL https://github.com/automagik-dev/workit/releases/latest/download/workit_darwin_arm64.tar.gz | tar xz -C ~/.local/bin |
| 14 | +``` |
| 15 | + |
| 16 | +Check: `wk version` and `wk auth status` |
| 17 | + |
| 18 | +--- |
| 19 | + |
| 20 | +## Auth flows by environment |
| 21 | + |
| 22 | +### Desktop / laptop |
9 | 23 | ```bash |
10 | 24 | wk auth manage # opens browser, auto-closes after login |
11 | | -wk gmail search 'newer_than:1d' |
12 | 25 | ``` |
13 | 26 |
|
14 | | -**Remote server / VPS (SSH):** |
| 27 | +### Remote server / VPS (SSH headless) |
15 | 28 | ```bash |
16 | | -wk auth manage # prints URL with server IP — open in your browser |
17 | | -# After login, server auto-closes |
18 | | -wk gmail search 'newer_than:1d' |
| 29 | +wk auth manage # detects no TTY, prints URL with server outbound IP |
| 30 | +# Open printed URL in your browser — auth completes automatically |
19 | 31 | ``` |
20 | 32 |
|
21 | | -**Agent / headless automation:** |
| 33 | +### Agent / automation (fully unattended) |
22 | 34 | ```bash |
23 | | -wk auth manage --print-url # prints {"url":"http://IP:PORT","port":8085} |
24 | | -# User opens URL, logs in; your code polls: |
25 | | -wk auth poll <state> # returns token when ready |
| 35 | +wk auth add user@example.com --headless --no-input |
| 36 | +# Prints a Google login URL. User (or automation) opens it. |
| 37 | +# CLI polls auth.automagik.dev until token arrives, then stores it. |
26 | 38 | ``` |
27 | 39 |
|
28 | | -**Linux headless (no D-Bus):** |
29 | | -Keyring is auto-configured. After `wk auth manage`, source the generated file: |
| 40 | +### Get just the URL (for scripting) |
30 | 41 | ```bash |
31 | | -source ~/.config/workit/credentials.env |
| 42 | +wk auth manage --print-url # prints JSON: {"url":"https://...","state":"..."} |
32 | 43 | ``` |
33 | 44 |
|
34 | | -Use this file for account setup, token lifecycle, and Workspace service-account flows. |
| 45 | +**Linux headless keyring:** auto-configured. No manual setup or `source` needed after v2.260227.4+. |
| 46 | + |
| 47 | +--- |
35 | 48 |
|
36 | 49 | ## 1) Inspect auth state |
37 | | -- `wk auth status` |
38 | | -- `wk auth list` |
39 | | -- `wk auth services` |
40 | | - |
41 | | -## 2) Login (interactive OAuth) |
42 | | -- **Recommended entry point:** `wk auth manage` — opens account manager UI, works on desktop and headless/remote servers (binds to 0.0.0.0, shows outbound IP, auto-closes after auth) |
43 | | -- Add account directly: `wk auth add <email>` |
44 | | -- Remove account: `wk auth remove <email>` |
45 | | - |
46 | | -## 3) Multi-account workflows |
47 | | -- List accounts: `wk auth list` |
48 | | -- Per-command account selection: `wk -a user@company.com drive ls` |
49 | | -- Use aliases: |
50 | | - - `wk auth alias set work user@company.com` |
51 | | - - `wk auth alias list` |
52 | | - - `wk auth alias unset work` |
53 | | - |
54 | | -## 4) Headless OAuth flow |
55 | | -- **Recommended:** `wk auth manage` — binds to 0.0.0.0, shows outbound IP for remote access, auto-closes after auth |
56 | | -- For agents/automation (prints JSON with URL): `wk auth manage --print-url` |
57 | | -- Legacy: `wk auth add user@company.com --headless --no-input` |
58 | | -- Poll completion manually: `wk auth poll <state>` |
59 | | -- No manual keyring setup needed on Linux headless — auto-configured automatically |
60 | | - |
61 | | -## 5) Token management |
62 | | -- List token keys: `wk auth tokens list` |
63 | | -- Export token (sensitive): `wk auth tokens export <key> --out token.json` |
64 | | -- Import token (sensitive): `wk auth tokens import <inPath>` |
65 | | -- Delete token: `wk auth tokens delete <key>` |
66 | | - |
67 | | -## 6) OAuth client credentials |
68 | | -- List clients: `wk auth credentials list` |
69 | | -- Set client from credentials.json: `wk auth credentials set <credentials-json-path> [--domain example.com]` |
70 | | -- Select client on commands: `wk --client <name> gmail search 'in:inbox'` |
71 | | - |
72 | | -## 7) Keyring backend |
73 | | -- Show/set backend: `wk auth keyring [backend]` |
74 | | -- Verify with: `wk auth status` |
75 | | - |
76 | | -## 8) Service account (Workspace only) |
77 | | -- Store key for domain-wide delegation: |
78 | | - - `wk auth service-account set --key /path/key.json <impersonate@company.com>` |
79 | | -- Check status: |
80 | | - - `wk auth service-account status` |
81 | | -- Remove key: |
82 | | - - `wk auth service-account unset` |
83 | | - |
84 | | -## 9) Keep-specific service account (Workspace only) |
85 | | -- `wk auth keep --key /path/key.json admin@company.com` |
86 | | - |
87 | | -## 10) Recommended auth pattern in agents |
88 | | -1. `wk auth status` |
89 | | -2. choose account (`-a`) and optional `--client` |
90 | | -3. run read checks with `--read-only` |
91 | | -4. run writes with `--dry-run`, then execute after confirmation |
| 50 | +```bash |
| 51 | +wk auth status # overall state + keyring backend |
| 52 | +wk auth list # all stored accounts |
| 53 | +wk auth services # services enabled per account |
| 54 | +``` |
| 55 | + |
| 56 | +## 2) Add / remove accounts |
| 57 | +```bash |
| 58 | +wk auth manage # recommended: interactive account manager |
| 59 | +wk auth add user@example.com # direct add (browser opens) |
| 60 | +wk auth add user@example.com --headless # headless: prints URL, polls until done |
| 61 | +wk auth remove user@example.com |
| 62 | +``` |
| 63 | + |
| 64 | +## 3) Multi-account |
| 65 | +```bash |
| 66 | +wk auth list |
| 67 | +wk -a user@company.com drive ls # per-command account |
| 68 | +wk auth alias set work user@company.com |
| 69 | +wk auth alias list |
| 70 | +wk auth alias unset work |
| 71 | +``` |
| 72 | + |
| 73 | +## 4) Token management |
| 74 | +```bash |
| 75 | +wk auth tokens list |
| 76 | +wk auth tokens export <key> --out token.json # sensitive |
| 77 | +wk auth tokens import <path> # sensitive |
| 78 | +wk auth tokens delete <key> |
| 79 | +``` |
| 80 | + |
| 81 | +## 5) OAuth client credentials (BYO GCP) |
| 82 | +```bash |
| 83 | +wk auth credentials list |
| 84 | +wk auth credentials set credentials.json [--domain example.com] |
| 85 | +wk --client <name> gmail search 'in:inbox' |
| 86 | +``` |
| 87 | + |
| 88 | +## 6) Keyring backend |
| 89 | +```bash |
| 90 | +wk auth keyring # show current backend |
| 91 | +wk auth keyring <backend> # set backend (secret-service, keychain, file, etc.) |
| 92 | +wk auth status # verify |
| 93 | +``` |
| 94 | + |
| 95 | +## 7) Service account (Workspace domain-wide delegation) |
| 96 | +```bash |
| 97 | +wk auth service-account set --key /path/key.json impersonate@company.com |
| 98 | +wk auth service-account status |
| 99 | +wk auth service-account unset |
| 100 | +``` |
| 101 | + |
| 102 | +## 8) Recommended pattern in agents |
| 103 | +1. `wk auth status` — check if account already exists |
| 104 | +2. If not: `wk auth add user@example.com --headless --no-input` and surface the URL |
| 105 | +3. `wk auth services` — verify services are authorized |
| 106 | +4. Read operations: add `--read-only` |
| 107 | +5. Write operations: `--dry-run` first, then without after confirmation |
0 commit comments