Login Command

The login command allows you to specify credentials and obtain an authorization token that can be used to authorize further interaction with the Observe service. Remember that these authorization tokens have the same powers that you do, and thus should be treated with care much the same as a password for any application. You may find it useful to create a new dummy user with restricted powers to use for automation use cases.

login Command Options

Short Command

Full Command




Use SSO to log in.



Read password from stdin (avoid putting it on command line).



Don’t save the authtoken in the config file.

You can use any of the three following formats for your login:

  1. observe login email@example.com password - This format specifies the password on the command line. Not particularly secure if you use a shell application with command history, but may be helpful when using the tool from automation where the history does not echo.

  2. observe login email@example.com --read-password - This format reads the password from the standard input. What you type does not echo to avoid it leaking into the shell scrollback log. This is the most convenient option if you use an email and password login to authenticate with Observe.

  3. observe login email@example.com --sso - This format issues an authentication request to the specified user visible in the Observe instance. Open the URL printed by this command in a browser, and approve the request, and receive the authentication token. Use this flow to generate an authentication token if you use SSO sign-in such as with SAML.


Not all SSO IdPs provide an email address, therefore this method may not be available to your account.

With the --save option, the login command updates the profile used to store the authentication token in the ~/.config/observe.yaml file. You can specify which profile to create or update with the --profile configuration option before the login command.

Once you have logged in, you do not need to do this again as long as the authentication token remains valid and available either from the config file or from the command line for each subsequent command. Configuration tokens not used expire after a period, typically set to ten days.