Authentication
The Watasu CLI supports two ways to log in: a browser flow for humans and API keys for automation. Once authenticated, the same credentials work for both API calls and Git pushes to git.watasu.io.
Browser login
Section titled “Browser login”watasu loginThe CLI opens your browser, you authenticate, and it stores credentials locally. If the browser can’t open (for example over SSH), the CLI prints the login URL so you can open it elsewhere. Use this on workstations.
API key login
Section titled “API key login”For CI, scripts, or any non-interactive environment:
watasu login --api-key "$WATASU_API_KEY"Generate API keys in the dashboard. Keep them in your CI provider’s secret store, not in your repo.
Where credentials live
Section titled “Where credentials live”Credentials are stored in your ~/.netrc file (%USERPROFILE%\_netrc on Windows) with user-only permissions, under entries for api.watasu.io and git.watasu.io. That’s why git push to your Watasu remote works without any extra setup after login — Git reads the same file.
Who am I logged in as?
Section titled “Who am I logged in as?”watasu whoamiLog out
Section titled “Log out”watasu logoutRemoves locally stored credentials.
How the CLI chooses an app
Section titled “How the CLI chooses an app”Most commands target a single app. The CLI resolves which one in this order:
--app <name>if you passed it explicitly--remote <name>if you specified a Git remote name- the default
watasuGit remote in the current directory
That’s why running watasu config:set FOO=bar works without --app when you’re inside your app’s repo — the remote tells the CLI which app to target.
- On workstations, use browser login. It rotates cleanly with your account.
- In CI, use API keys. Treat them like any other deploy credential.
- When scripting, always pass
--appexplicitly. Implicit remote-based resolution is convenient interactively but a footgun in CI.