Authentication
Reis authenticates using personal access tokens (PATs). You generate a PAT in the Bahriya console and provide it to Reis.
Logging in
reis auth:login
Reis prompts you for:
- API URL — defaults to
https://api.bahriya.cloud/console/v1. Press Enter to accept the default, or provide a custom URL for self-hosted environments.
- Personal access token — paste your PAT (input is hidden). Tokens must start with
pat_.
Reis validates the token by making a test API call. If successful, your credentials are saved to ~/.reis/config.yml.
Checking auth status
reis auth:status
Shows whether you are authenticated, your API URL, a masked version of your token, and validates that the credentials are still valid by making an API call.
How credentials are stored
Credentials are stored in ~/.reis/config.yml:
api_url: 'https://api.bahriya.cloud/console/v1'
token: 'pat_abc123...'
default_org: 'org-uuid-here'
The file is created on first login. Only the current user has read/write access.
Setting your organisation
Most Reis commands operate within an organisation context. After logging in, set your default organisation:
# Interactive — prompts with a list of your organisations
reis org:switch
# Direct — pass the organisation ID
reis org:switch 550e8400-e29b-41d4-a716-446655440000
This saves the default_org in ~/.reis/config.yml. All subsequent commands (including reis apply -f) use this organisation automatically.
You can override the default on any command with --org:
reis container:list --org 550e8400-e29b-41d4-a716-446655440000
reis apply -f infrastructure.yml --org 550e8400-e29b-41d4-a716-446655440000
To see which organisation is currently active:
reis org:list
Your default organisation is marked in the output.
Using environment variables
For CI/CD pipelines, set the REIS_TOKEN environment variable instead of running reis auth:login:
export REIS_TOKEN=pat_abc123...
When REIS_TOKEN is set, Reis uses it instead of the stored config file token. This keeps your PAT out of shell history and config files on ephemeral CI runners.
You can also set the API URL:
export REIS_API_URL=https://api.bahriya.cloud/console/v1
Exit codes
Reis uses distinct exit codes to help scripts differentiate between errors:
| Exit code | Meaning |
|---|
0 | Success |
1 | General error (API error, validation failure, etc.) |
2 | Authentication failure (not logged in, expired token, invalid credentials) |
Exit code 2 lets CI pipelines detect auth problems separately from application errors:
reis container:list --project my-project --output json
if [ $? -eq 2 ]; then
echo "Authentication failed - check your REIS_TOKEN"
exit 1
fi
Logging out
Delete your config file to remove stored credentials:
rm ~/.reis/config.yml
Or delete the entire config directory:
rm -rf ~/.reis
