cloudsmith-io
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cloudsmith_cli/cli/commands/auth.py‎
Lines changed: 24 additions & 3 deletions b/‎cloudsmith_cli/cli/commands/auth.py‎
Lines changed: 24 additions & 3 deletions
diff --git a/‎cloudsmith_cli/cli/tests/commands/test_auth.py‎
Lines changed: 115 additions & 0 deletions b/‎cloudsmith_cli/cli/tests/commands/test_auth.py‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎cloudsmith_cli/cli/tests/test_webserver.py‎
Lines changed: 122 additions & 0 deletions b/‎cloudsmith_cli/cli/tests/test_webserver.py‎
Lines changed: 122 additions & 0 deletions
diff --git a/‎cloudsmith_cli/cli/webserver.py‎
Lines changed: 25 additions & 10 deletions b/‎cloudsmith_cli/cli/webserver.py‎
Lines changed: 25 additions & 10 deletions
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Added
+
+- Added `--no-keyring` flag to `cloudsmith auth` which can only be used when passing `--get-token` flag in order to skip keyring checks. This will allow users to extract their Cloudsmith API key programmatically without requiring user-input. This can also be configured on environment level by setting `CLOUDSMITH_NO_KEYRING=1`.
+
 ## [1.12.1] - 2026-02-03
 
 ### Added
 
@@ -1,5 +1,6 @@
 """CLI/Commands - Authenticate the user."""
 
+import os
 import webbrowser
 
 import click
@@ -16,7 +17,16 @@
 AUTH_SERVER_PORT = 12400
 
 
-def _perform_saml_authentication(opts, owner, enable_token_creation=False, json=False):
+def _set_no_keyring_env(ctx, param, value):
+    """Callback to set CLOUDSMITH_NO_KEYRING env var when flag is used."""
+    if value:
+        os.environ["CLOUDSMITH_NO_KEYRING"] = "1"
+    return value
+
+
+def _perform_saml_authentication(
+    opts, owner, enable_token_creation=False, json=False, no_keyring=False
+):
     """Perform SAML authentication via web browser and local web server."""
     session = create_configured_session(opts)
     api_host = opts.api_config.host
@@ -40,6 +50,7 @@ def _perform_saml_authentication(opts, owner, enable_token_creation=False, json=
         debug=opts.debug,
         refresh_api_on_success=enable_token_creation,
         api_opts=opts.api_config,
+        no_keyring=no_keyring,
     )
 
     auth_server.handle_request()
@@ -81,11 +92,21 @@ def _perform_saml_authentication(opts, owner, enable_token_creation=False, json=
     is_flag=True,
     help="Output token details in json format.",
 )
+@click.option(
+    "--no-keyring",
+    default=False,
+    is_flag=True,
+    callback=_set_no_keyring_env,
+    is_eager=True,
+    help="Skip storing SSO tokens in system keyring. Use this in CI/CD "
+    "environments to avoid keyring permission prompts. Note: SSO tokens "
+    "will not persist for subsequent CLI calls.",
+)
 @decorators.common_cli_config_options
 @decorators.common_cli_output_options
 @decorators.initialise_api
 @click.pass_context
-def authenticate(ctx, opts, owner, token, force, save_config, json):
+def authenticate(ctx, opts, owner, token, force, save_config, json, no_keyring):
     """Authenticate to Cloudsmith using the org's SAML setup."""
     json = json or utils.should_use_stderr(opts)
     # If using json output, we redirect info messages to stderr
@@ -109,7 +130,7 @@ def authenticate(ctx, opts, owner, token, force, save_config, json):
     context_message = "Failed to authenticate via SSO!"
     with handle_api_exceptions(ctx, opts=opts, context_msg=context_message):
         _perform_saml_authentication(
-            opts, owner, enable_token_creation=token, json=json
+            opts, owner, enable_token_creation=token, json=json, no_keyring=no_keyring
         )
 
     if token:
 
@@ -0,0 +1,115 @@
+"""Tests for the auth command."""
+
+import os
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+from ...commands.auth import authenticate
+
+
+@pytest.fixture
+def mock_saml_session():
+    """Mock the SAML session creation."""
+    with patch(
+        "cloudsmith_cli.cli.commands.auth.create_configured_session"
+    ) as mock_session:
+        mock_session.return_value = MagicMock()
+        yield mock_session
+
+
+@pytest.fixture
+def mock_get_idp_url():
+    """Mock the IDP URL retrieval."""
+    with patch("cloudsmith_cli.cli.commands.auth.get_idp_url") as mock_url:
+        mock_url.return_value = "https://idp.example.com/saml"
+        yield mock_url
+
+
+@pytest.fixture
+def mock_webbrowser():
+    """Mock the webbrowser.open call."""
+    with patch("cloudsmith_cli.cli.commands.auth.webbrowser") as mock_browser:
+        yield mock_browser
+
+
+@pytest.fixture
+def mock_auth_server():
+    """Mock the AuthenticationWebServer."""
+    with patch(
+        "cloudsmith_cli.cli.commands.auth.AuthenticationWebServer"
+    ) as mock_server_class:
+        mock_server_instance = MagicMock()
+        mock_server_class.return_value = mock_server_instance
+        yield mock_server_class
+
+
+class TestAuthenticateCommand:
+    """Tests for the authenticate command."""
+
+    def test_no_keyring_flag_passed_to_webserver(
+        self,
+        runner,
+        mock_saml_session,
+        mock_get_idp_url,
+        mock_webbrowser,
+        mock_auth_server,
+    ):
+        """Verify --no-keyring flag is passed to AuthenticationWebServer."""
+        runner.invoke(
+            authenticate,
+            ["--owner", "testorg", "--no-keyring"],
+            catch_exceptions=False,
+        )
+
+        # Verify AuthenticationWebServer was called with no_keyring=True
+        mock_auth_server.assert_called_once()
+        call_kwargs = mock_auth_server.call_args.kwargs
+        assert call_kwargs.get("no_keyring") is True
+
+    def test_no_keyring_flag_defaults_to_false(
+        self,
+        runner,
+        mock_saml_session,
+        mock_get_idp_url,
+        mock_webbrowser,
+        mock_auth_server,
+    ):
+        """Verify no_keyring defaults to False when flag not provided."""
+        runner.invoke(
+            authenticate,
+            ["--owner", "testorg"],
+            catch_exceptions=False,
+        )
+
+        # Verify AuthenticationWebServer was called with no_keyring=False
+        mock_auth_server.assert_called_once()
+        call_kwargs = mock_auth_server.call_args.kwargs
+        assert call_kwargs.get("no_keyring") is False
+
+    def test_no_keyring_flag_sets_env_var(
+        self,
+        runner,
+        mock_saml_session,
+        mock_get_idp_url,
+        mock_webbrowser,
+        mock_auth_server,
+    ):
+        """Verify --no-keyring flag sets CLOUDSMITH_NO_KEYRING env var."""
+        # Ensure env var is not set before test
+        env_backup = os.environ.copy()
+        os.environ.pop("CLOUDSMITH_NO_KEYRING", None)
+
+        try:
+            runner.invoke(
+                authenticate,
+                ["--owner", "testorg", "--no-keyring"],
+                catch_exceptions=False,
+            )
+
+            # Verify environment variable was set
+            assert os.environ.get("CLOUDSMITH_NO_KEYRING") == "1"
+        finally:
+            # Restore original environment
+            os.environ.clear()
+            os.environ.update(env_backup)
@@ -0,0 +1,122 @@
+"""Tests for the webserver module."""
+
+from unittest.mock import MagicMock, PropertyMock, patch
+
+import pytest
+
+from ..webserver import AuthenticationWebRequestHandler, AuthenticationWebServer
+
+
+class TestAuthenticationWebServer:
+    """Tests for AuthenticationWebServer."""
+
+    def test_no_keyring_attribute_set_from_kwargs(self):
+        """Verify no_keyring is set from kwargs."""
+        with patch("socket.socket"):
+            with patch.object(AuthenticationWebServer, "server_bind"):
+                with patch.object(AuthenticationWebServer, "server_activate"):
+                    server = AuthenticationWebServer(
+                        ("127.0.0.1", 12400),
+                        AuthenticationWebRequestHandler,
+                        bind_and_activate=False,
+                        owner="testorg",
+                        no_keyring=True,
+                    )
+                    assert server.no_keyring is True
+
+    def test_no_keyring_defaults_to_false(self):
+        """Verify no_keyring defaults to False when not provided."""
+        with patch("socket.socket"):
+            with patch.object(AuthenticationWebServer, "server_bind"):
+                with patch.object(AuthenticationWebServer, "server_activate"):
+                    server = AuthenticationWebServer(
+                        ("127.0.0.1", 12400),
+                        AuthenticationWebRequestHandler,
+                        bind_and_activate=False,
+                        owner="testorg",
+                    )
+                    assert server.no_keyring is False
+
+
+class TestAuthenticationWebRequestHandlerNoKeyring:
+    """Tests for AuthenticationWebRequestHandler with no_keyring flag."""
+
+    @pytest.fixture
+    def mock_handler(self):
+        """Create a mock handler with controlled attributes."""
+        with patch.object(
+            AuthenticationWebRequestHandler, "__init__", lambda *args, **kwargs: None
+        ):
+            handler = AuthenticationWebRequestHandler.__new__(
+                AuthenticationWebRequestHandler
+            )
+            handler.server_instance = MagicMock()
+            handler.server_instance.api_host = "https://api.cloudsmith.io"
+            handler.refresh_api_on_success = False
+            handler.session = MagicMock()
+            handler.debug = False
+            return handler
+
+    def test_store_sso_tokens_called_when_no_keyring_false(self, mock_handler):
+        """Verify store_sso_tokens is called when no_keyring is False."""
+        mock_handler.no_keyring = False
+
+        with patch("cloudsmith_cli.cli.webserver.store_sso_tokens") as mock_store:
+            with patch.object(mock_handler, "_return_success_response"):
+                with patch.object(
+                    AuthenticationWebRequestHandler,
+                    "query_data",
+                    new_callable=PropertyMock,
+                ) as mock_query:
+                    with patch.object(
+                        AuthenticationWebRequestHandler,
+                        "api_host",
+                        new_callable=PropertyMock,
+                    ) as mock_host:
+                        mock_query.return_value = {
+                            "access_token": "test_access_token",
+                            "refresh_token": "test_refresh_token",
+                        }
+                        mock_host.return_value = "https://api.cloudsmith.io"
+
+                        mock_handler.do_GET()
+
+                        mock_store.assert_called_once_with(
+                            "https://api.cloudsmith.io",
+                            "test_access_token",
+                            "test_refresh_token",
+                        )
+
+    def test_store_sso_tokens_not_called_when_no_keyring_true(self, mock_handler):
+        """Verify store_sso_tokens is NOT called when no_keyring is True."""
+        mock_handler.no_keyring = True
+
+        with patch("cloudsmith_cli.cli.webserver.store_sso_tokens") as mock_store:
+            with patch("click.echo") as mock_echo:
+                with patch.object(mock_handler, "_return_success_response"):
+                    with patch.object(
+                        AuthenticationWebRequestHandler,
+                        "query_data",
+                        new_callable=PropertyMock,
+                    ) as mock_query:
+                        with patch.object(
+                            AuthenticationWebRequestHandler,
+                            "api_host",
+                            new_callable=PropertyMock,
+                        ) as mock_host:
+                            mock_query.return_value = {
+                                "access_token": "test_access_token",
+                                "refresh_token": "test_refresh_token",
+                            }
+                            mock_host.return_value = "https://api.cloudsmith.io"
+
+                            mock_handler.do_GET()
+
+                            # store_sso_tokens should NOT be called
+                            mock_store.assert_not_called()
+
+                            # Message should be displayed to stderr
+                            mock_echo.assert_called_once_with(
+                                "SSO tokens not stored (--no-keyring enabled)",
+                                err=True,
+                            )
@@ -52,6 +52,7 @@ def __init__(
         self.debug = kwargs.get("debug", False)
         self.refresh_api_on_success = kwargs.get("refresh_api_on_success", False)
         self.api_opts = kwargs.get("api_opts")
+        self.no_keyring = kwargs.get("no_keyring", False)
         self.exception = None
 
         super().__init__(
@@ -90,6 +91,7 @@ def finish_request(self, request, client_address):
             session=self.session,
             refresh_api_on_success=self.refresh_api_on_success,
             server_instance=self,
+            no_keyring=self.no_keyring,
         )
 
     def _handle_request_noblock(self):
@@ -133,6 +135,7 @@ def __init__(self, request, client_address, server, **kwargs):
         self.session = kwargs.get("session")
         self.refresh_api_on_success = kwargs.get("refresh_api_on_success", False)
         self.server_instance = kwargs.get("server_instance")
+        self.no_keyring = kwargs.get("no_keyring", False)
 
         super().__init__(request, client_address, server)
 
@@ -200,11 +203,17 @@ def do_GET(self):
 
         try:
             if access_token:
-                store_sso_tokens(
-                    self.api_host,
-                    access_token,
-                    refresh_token,
-                )
+                if self.no_keyring:
+                    click.echo(
+                        "SSO tokens not stored (--no-keyring enabled)",
+                        err=True,
+                    )
+                else:
+                    store_sso_tokens(
+                        self.api_host,
+                        access_token,
+                        refresh_token,
+                    )
 
                 if self.refresh_api_on_success and self.server_instance:
                     self.server_instance.refresh_api_config_after_auth()
@@ -220,11 +229,17 @@ def do_GET(self):
                 access_token, refresh_token = exchange_2fa_token(
                     self.api_host, two_factor_token, totp_token, session=self.session
                 )
-                store_sso_tokens(
-                    self.api_host,
-                    access_token,
-                    refresh_token,
-                )
+                if self.no_keyring:
+                    click.echo(
+                        "SSO tokens not stored (--no-keyring enabled)",
+                        err=True,
+                    )
+                else:
+                    store_sso_tokens(
+                        self.api_host,
+                        access_token,
+                        refresh_token,
+                    )
 
                 if self.refresh_api_on_success and self.server_instance:
                     self.server_instance.refresh_api_config_after_auth()