The CLI authenticates against the Dynamic dashboard. Use browser login when you’re working interactively, and a token when you’re running in CI or any non-interactive context.
Interactive login
The CLI opens your browser, you approve the request from the dashboard, and the token is stored locally. Login also auto-selects the first available environment so your next command works immediately.
Check what you’re authenticated as and which environment is active:
Log out to clear the stored token — do this on shared machines:
Non-interactive (CI)
In CI there’s no browser to complete the login flow. Provide a token through the DYN_CLI_TOKEN environment variable instead:
export DYN_CLI_TOKEN=<your-token>
dyn status
DYN_CLI_TOKEN is set, the CLI uses it directly and skips the browser flow.
Treat DYN_CLI_TOKEN as a secret. Store it in your CI provider’s secret manager, never in source control, and scope it to the environment the pipeline needs.
Running commands non-interactively
Destructive commands (delete, revoke, disable, reset) prompt for confirmation by default. In CI there’s no one to answer the prompt, so pass -y/--yes:
dyn users delete <user-id> --yes
dyn apply, the safety gates also require explicit opt-in flags when the plan includes risky changes — for example --allow-critical-changes or --allow-delete. Combine them with --yes for a fully non-interactive apply:
dyn apply -f env.yaml --yes --allow-critical-changes
Add --no-color in CI to strip ANSI escape codes from logs, and -o json when a later step needs to parse the output.
Example: GitHub Actions
- name: Check Dynamic config drift
env:
DYN_CLI_TOKEN: ${{ secrets.DYN_CLI_TOKEN }}
run: |
npm install -g @dynamic-labs/dynamic-console-cli
dyn apply -f envs/live.yaml --dry-run --no-color
