> ## Documentation Index
> Fetch the complete documentation index at: https://docs.githits.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate GitHits in CI and headless environments

> Authenticate GitHits without a browser in CI pipelines, SSH sessions, and containers — use an API token, browser-less OAuth, or file storage.

CI environments, SSH sessions, and containers cannot open a browser for OAuth. GitHits gives you two practical options: authenticate with an API token (recommended for CI) or use the `--no-browser` flag to get a URL you can open on another device.

## Option 1: API token (recommended for CI)

An API token lets you authenticate without any browser interaction. The token is read from an environment variable, so you can inject it as a CI secret without modifying your code or config files.

<Steps>
  <Step title="Get your API token">
    Log in to [githits.com](https://githits.com) and navigate to your account settings. Copy your API token — it starts with `ghi-`.
  </Step>

  <Step title="Set the environment variable">
    Export the token in your shell or add it to your CI configuration as a secret:

    ```bash theme={null}
    export GITHITS_API_TOKEN=ghi-your-token-here
    ```
  </Step>

  <Step title="Verify authentication">
    Confirm that GitHits picks up the token:

    ```bash theme={null}
    npx githits@latest auth status
    ```

    The output should show you as authenticated and indicate that credentials are sourced from the environment variable.
  </Step>
</Steps>

### GitHub Actions example

Add your API token as a repository secret named `GITHITS_API_TOKEN`, then reference it in your workflow:

```yaml theme={null}
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Run GitHits
        env:
          GITHITS_API_TOKEN: ${{ secrets.GITHITS_API_TOKEN }}
        run: |
          npx githits@latest auth status
```

The same pattern works for GitLab CI (`variables:`), CircleCI (project environment variables), and any other CI system that supports injecting secrets as environment variables.

## Option 2: Browser-less OAuth

If you need OAuth authentication but cannot open a browser on the same machine, use `--no-browser`. GitHits prints a URL instead of launching a browser — open it on any device to complete authentication.

```bash theme={null}
npx githits@latest login --no-browser
```

This is useful for SSH sessions where you have a browser available on your local machine but not on the remote host.

## Option 3: File storage OAuth (scripted environments)

If you need OAuth credentials persisted for a scripted environment that runs repeatedly, you can store them in a file instead of the system keychain:

```bash theme={null}
GITHITS_AUTH_STORAGE=file npx githits@latest login --force
```

Subsequent runs in that environment read credentials from the file without any browser or keychain interaction.

<Warning>
  File storage is **not encrypted**. The OAuth credentials are written as plain JSON files under your GitHits config directory. Any process that can read files as your OS user can read the tokens. For CI and automation, prefer `GITHITS_API_TOKEN` — it is easier to rotate and does not leave unencrypted credential files on disk.
</Warning>

You can also set file storage permanently in your config:

```toml theme={null}
# macOS/Linux: ~/.config/githits/config.toml
# Windows: %APPDATA%\githits\config.toml
[auth]
storage = "file"
```

## Choosing the right approach

| Scenario                                 | Recommended approach                    |
| ---------------------------------------- | --------------------------------------- |
| GitHub Actions, GitLab CI, CircleCI      | `GITHITS_API_TOKEN` secret              |
| SSH session with local browser available | `npx githits@latest login --no-browser` |
| Long-running container, no browser       | `GITHITS_API_TOKEN`                     |
| Local scripted workflow, trusted machine | File storage OAuth                      |
