Authentication
LPM has four authentication commands, each for a different scenario:
| Command | Use case | Token type | Lifetime |
|---|---|---|---|
lpm login | Authenticate the CLI | Full access (read + write) | Until revoked |
lpm setup-npmrc | Make npm install work locally | Read-only | 30 days (configurable) |
lpm setup | Configure .npmrc for CI/CD | ${LPM_TOKEN} placeholder | Depends on CI secret |
lpm setup --oidc | Secret-free CI installs | Read-only OIDC token | 30 minutes |
For dashboard access to your encrypted environment vault, see lpm env pair under Dashboard Pairing — a separate one-time flow that authorizes a browser session without ever transmitting a long-lived decryption key.
Step 1 — Sign in
lpm loginThis opens your browser for OAuth authentication. After signing in, your token is stored securely in your OS keychain. If the keychain is unavailable, LPM falls back to an AES-256-GCM encrypted file.
Verify you're authenticated:
lpm whoamiStep 2 — Configure npm for your project
lpm login authenticates the CLI, but npm install doesn't know about the keychain. To make npm install work with @lpm.dev/* packages, run:
lpm setup-npmrcThis creates a 30-day read-only token and writes it to your project's .npmrc. It also adds .npmrc to .gitignore to prevent accidental token commits.
✔ Read-only token created.
✔ .npmrc configured with read-only LPM token.
ℹ .npmrc added to .gitignore to prevent token leaks.
ℹ Token expires: April 18, 2026
ℹ Run `lpm setup-npmrc` again to refresh when expired.
After this, both lpm install and npm install work:
npm install # ✓ uses the token from .npmrc
lpm install # ✓ uses the keychain token (always works)You can customize the token lifetime:
lpm setup-npmrc --days 7 # 7-day token
lpm setup-npmrc --days 90 # 90-day tokenRun lpm setup-npmrc again anytime to refresh an expired token.
Dashboard access for the env vault
Once you've signed in and pushed encrypted environment variables to lpm.dev (Pro/Org — see Cloud Sync), you can also unlock the dashboard view of your vaults:
lpm env pair <CODE>Open lpm.dev/dashboard/secrets, copy the 6-character code the dashboard prints, and run the command from a machine that already has the wrapping key in its keychain. The CLI hands a wrapped copy of the wrapping key to the browser via ECDH — the server never sees the plaintext key. See Dashboard Pairing for the full flow.
CI/CD Authentication
For CI/CD pipelines, you have two options:
Option 1 — OIDC (recommended, no secrets)
If your CI supports OIDC (GitHub Actions, GitLab CI), use lpm setup --oidc for secret-free installs:
lpm setup --oidcThis exchanges the CI provider's identity token for a short-lived LPM read-only token (30 minutes). No LPM_TOKEN secret needed anywhere.
Requires: Your GitHub or GitLab account must be linked to your LPM account at Settings > Security.
See CI/CD Integration for complete workflow examples.
Option 2 — Environment variable
For CI platforms without OIDC, or deployment platforms like Vercel and Netlify:
lpm setupThis writes a .npmrc with the ${LPM_TOKEN} placeholder. Set the LPM_TOKEN environment variable in your CI/deployment settings.
See Deployment Platforms for platform-specific guides.
Sign out
lpm logoutThis removes the stored token from your keychain.
