Authentication
Nexrall's API is authenticated with a bearer token in the Authorization header:
Authorization: Bearer <token>Getting a token
- Interactively, sign in through the Nexrall CLI or the VS Code extension — both handle the login flow for you and store the resulting token locally.
- For CI or server-to-server use, set the token as an environment variable rather than relying on an interactive login:
sh
export NEXRALL_TOKEN=<token>An explicit NEXRALL_TOKEN environment variable always takes precedence over any locally saved interactive session — this is the recommended way to authenticate in CI.
Token scope
A token is tied to your Nexrall account and has the same permissions your account has in the app — it does not carry elevated or reduced permissions on its own.
Keeping tokens safe
- Never commit a token to a repository or client-side code.
- In GitHub Actions, store it as a repository secret (for example,
NEXRALL_TOKEN) and reference it in your workflow'ssecretscontext. - Treat a leaked token like a leaked password — it grants the same access your account has.