https://api.runflow.ai) by default. If you run RunFlow in your own environment — or juggle several environments (cloud, staging, a customer install) — you point the CLI at each API once and it remembers everything for that profile: the API URL and the identity provider used to log in.
Change the API once
- Resolves the target API and shows it before opening the browser.
- Discovers the login provider from the server, so you sign in against your identity provider — not
auth.runflow.ai. - Remembers both in the active profile. Every later
rf login, token refresh, and command reuses the same URL and provider — no need to pass--apiagain.
Discovery is automatic. The CLI calls the installation’s public
GET /runtime/auth/cli-config endpoint to learn which OIDC provider to open.
If the server doesn’t publish it (older versions) or is unreachable, the CLI
falls back to RunFlow Cloud defaults — so existing logins keep working.How the provider is resolved
When you log in or refresh a token, the CLI resolves the auth provider in this order (first match wins):| Priority | Source | When to use |
|---|---|---|
| 1 | RUNFLOW_AUTH0_* env vars | Force a provider locally (CI, testing) |
| 2 | Server discovery (/runtime/auth/cli-config) | Normal self-hosted flow — nothing to configure on your side |
| 3 | auth saved in the profile | Reusing a profile you already logged into |
| 4 | RunFlow Cloud defaults | Cloud, or a server without the discovery endpoint |
--api > RUNFLOW_API_URL > the active profile’s saved api > cloud default.
Multiple environments as profiles
Each profile remembers its own API URL and provider, so cloud and self-hosted installs live side by side. There’s no separate “create profile” command — a profile is created (and activated) when you log in with--profile:
rf login --profile <name> both creates and activates that profile, so the last
login is the active one. You only pass --api the first time — the URL and
provider are remembered for that profile afterward.
Switching environments vs. tenants. With a browser (OIDC) login,
rf switch moves between the tenants of the active account — not between
profiles. To activate a different environment, log into it again with
rf login --profile <name>. (API-key logins switch between profiles directly
with rf switch <name>.) See Profiles.Signing out
rf logout clears the stored tokens but keeps the API URL, provider, and tenant, so signing back in is a single rf login with no flags:
Environment variable overrides
Useful for CI or scripted runs where you don’t want to persist a profile:| Variable | Overrides |
|---|---|
RUNFLOW_API_URL | Target API base URL |
RUNFLOW_AUTH0_DOMAIN | Login provider domain |
RUNFLOW_AUTH0_CLIENT_ID | OIDC client ID used for login/refresh |
RUNFLOW_AUTH0_AUDIENCE | Token audience |
Where it’s stored
Connection settings are saved per profile in~/.runflowrc (YAML):
For self-hosted administrators
For the CLI to discover your provider (instead of falling back to cloud), the api-portal serving the installation must expose the discovery endpoint and have these set:| api-portal env var | Purpose |
|---|---|
AUTH0_DOMAIN | Your identity provider’s domain — the CLI opens /authorize here |
AUTH0_CLI_CLIENT_ID | A dedicated native/public (PKCE) client, distinct from the portal SPA client (AUTH0_CLIENT_ID) |
AUTH0_AUDIENCE | The API audience for issued tokens |
Next Steps
Login
Authentication and profile basics
Profiles
Manage and switch environments