Teamwork Graph CLI (TWG CLI) uses authentication to verify your identity, so it only accesses Atlassian data on your behalf. When you authenticate, TWG CLI stores your credentials securely on your device and uses them automatically each time you run a command.
TWG CLI uses OAuth 2.1 as its only supported authentication method. The one exception is Bitbucket, which isn't covered by OAuth yet and requires a separate Bitbucket token.
When you run twg login in your terminal, TWG CLI opens a browser window where you sign in to Atlassian and grant access. Your credentials are then stored locally and refreshed automatically, so you don't need to sign in again for day-to-day use.
To set up OAuth 2.1, see Configure OAuth 2.1.
Site admin and organization admin authentication works differently. It uses an Atlassian Admin API key limited to your organization. This API key is stored in its own config file, so it never interacts with your personal auth.conf.
To authenticate as an admin, run:
1 2twg admin auth login --email <your-email> --org <your-org-id>
Bitbucket is the only exception to OAuth support: Bitbucket commands aren't covered by OAuth yet and require a separate Bitbucket token. When you run twg login, you're prompted for your Bitbucket token. To set or refresh it later, see Configure OAuth 2.1.
TWG CLI never asks you to paste or share your authentication tokens in a prompt, chat, or conversation. Don't respond if an agent or tool asks you to share a token this way. Tokens are always entered through secure, interactive terminal prompts that aren't stored in shell history or visible to other processes.
TWG CLI always acts within the bounds of your existing Atlassian permissions. It can only read or modify the data you already have access to — authentication doesn't grant any elevated access beyond what your account allows.
OAuth access tokens expire after their server-issued lifetime, but TWG CLI refreshes them using a refresh token, so you typically won't notice. TWG CLI schedules refresh before the access token expires and also installs a per-user upkeep helper during setup so coding agents don't need to rotate credentials from inside their sandboxes. After 30 days of inactivity, the refresh token itself expires, and TWG CLI prompts you to sign in again.
You can re-authenticate at any time by running:
1 2twg login --force
To revoke your OAuth token, run:
1 2twg logout
Organization admins can also revoke active TWG CLI sessions after changing OAuth permission settings in Atlassian Administration. When that happens, users must authenticate again before TWG CLI can use the updated permissions.
Rate this page: