Authentication
Authentication unlocks AI-validated scans, deep analysis, and cloud features. This guide covers all authentication methods.
Why Authenticate?
| Feature | Without Auth | With Auth |
|---|---|---|
| Local scans | Yes | Yes |
| Verified scans (AI validation) | No | Yes (Starter+) |
| Deep scans (semantic analysis) | No | Yes (Pro+) |
| Dashboard sync | No | Yes |
| Scan history (cloud) | No | Yes |
| API access | No | Yes (Starter+) |
Authentication Methods
1. Browser OAuth (Recommended)
The easiest method for local development:
oculum login
- Opens your default browser
- Sign in with GitHub
- Authorize Oculum
- CLI automatically receives credentials
2. API Key
For CI/CD, headless environments, or scripting:
oculum login --api-key ocu_abc123...
Get your API key from Dashboard Settings.
3. Environment Variable
Set OCULUM_API_KEY for automatic authentication:
export OCULUM_API_KEY=ocu_abc123...
oculum scan --depth verified
No explicit login required.
Creating an API Key
- Go to Dashboard Settings
- Click Create Key
- Name it descriptively (e.g., "GitHub Actions", "Local Dev")
- Copy the key immediately (shown only once)
- Store securely
Best Practices
- Create separate keys for different environments
- Use descriptive names
- Rotate keys periodically
- Revoke unused keys
CLI Commands
Check Status
oculum status
Output:
Logged in as: user@example.com
Plan: Pro
Scan depths: local, verified, deep
Credits: 45 / 250 (18%)
Reset date: February 1, 2026
Logout
oculum logout
Removes stored credentials from your machine.
Credential Storage
CLI
Credentials are stored in ~/.oculum/credentials.json:
{
"apiKey": "ocu_...",
"email": "user@example.com",
"plan": "pro",
"expiresAt": "2026-02-01T00:00:00Z"
}
This file is created automatically after login.
VS Code Extension
The VS Code extension uses VS Code's Secret Storage API, which provides secure, encrypted storage.
CI/CD Setup
GitHub Actions
env:
OCULUM_API_KEY: ${{ secrets.OCULUM_API_KEY }}
steps:
- uses: actions/checkout@v4
- run: npm install -g @oculum/cli
- run: oculum scan --depth verified --fail-on high
Add OCULUM_API_KEY to repository secrets:
- Settings → Secrets and variables → Actions
- New repository secret
- Name:
OCULUM_API_KEY - Value: Your API key
GitLab CI
variables:
OCULUM_API_KEY: $OCULUM_API_KEY
security-scan:
script:
- npm install -g @oculum/cli
- oculum scan --depth verified
Add the variable in Settings → CI/CD → Variables.
Other CI Systems
Set OCULUM_API_KEY as an environment variable.
Troubleshooting
"Authentication required"
Error: Authentication required for verified scans.
Run 'oculum login' to authenticate.
Solution: Run oculum login or set OCULUM_API_KEY.
"Invalid API key"
Error: Invalid API key.
Solutions:
- Verify the key is correct (no extra spaces)
- Check the key hasn't been revoked
- Try creating a new key
Browser Doesn't Open
If oculum login doesn't open a browser:
# Use API key instead
oculum login --api-key YOUR_KEY
Or manually open the URL shown in the terminal.
Re-authenticate
oculum logout
oculum login
Security
API Key Security
- Never commit API keys to version control
- Use environment variables or secret managers
- Rotate keys if compromised
Credential File Permissions
The credential file is created with user-only permissions (600).
Revoking Keys
Revoke compromised keys immediately:
- Go to Dashboard Settings
- Find the key
- Click Revoke
Plans and Tiers
| Plan | Features |
|---|---|
| Free | Local scans only |
| Starter | + Verified scans, API access |
| Pro | + Deep scans, priority support |
| Max | + Higher limits |
See Credits & Usage for plan details.
Related
- Credits & Usage — Plans and quotas
- CI/CD Setup — Pipeline integration
- VS Code Extension — IDE authentication