datumctl can hold sessions for more than one Datum Cloud user at a time. This is useful when you work across several identities — a personal account and a machine account, or accounts on different environments — and want to move between them without logging out and back in. This guide covers listing your local sessions, switching the active one, logging out, and printing access tokens for other tools.
New to the CLI? Start with the Quickstart and Logging in guides. This page assumes you have already logged in at least once with
datumctl login.Working with multiple accounts
Every time you rundatumctl login, the resulting credentials are stored as a separate session. One session is always marked active — its credentials are used by every command that talks to the Datum Cloud API. The commands below let you see all your sessions and choose which one is active.
List your sessions
| Column | Meaning |
|---|---|
User | The email address used to log in. Pass this to datumctl auth switch or datumctl logout. |
Endpoint | Shown only when your sessions span more than one API endpoint (for example production and a custom environment). |
Status | Active marks the account whose credentials are used by default for all subsequent commands. |
datumctl login to get started.
Switch the active account
datumctl auth list. If you omit the email, an interactive picker lists all your sessions so you can choose one. If a single email matches sessions on more than one endpoint, you are prompted to pick the right one.
Each session remembers the last context (organization or project) you used. Switching accounts also restores that account’s context, so your active scope follows the identity you switch to. See Contexts & scoping for how the active context shapes what your commands act on.
datumctl confirms the active user and shows the restored context (and endpoint, when you have sessions on more than one):
datumctl login first — see Logging in for login options, including --no-browser for headless environments, or Service accounts for machine-identity credentials.
Log out
Logging out removes a user’s stored credentials from this machine.--all — the two cannot be combined. Use the email exactly as shown in datumctl auth list.
If you log out the active account while others remain, use datumctl auth switch to choose a new active session.
Printing access tokens for tooling
datumctl auth get-token prints an access token for the active user. Most people never need it — datumctl obtains and refreshes tokens automatically for its own commands. It exists as a credential helper so that other tools can borrow your Datum Cloud session instead of managing their own login.
datumctl uses the saved refresh token to fetch a new one before printing, so you always get a valid token.
Common uses:
- Scripts and direct API calls — capture the raw token and pass it as a bearer credential to
curlor another HTTP client. - Plugins — datumctl plugins call
get-tokento obtain a fresh token for the active session rather than implementing their own authentication. - kubectl — for existing kubectl users,
get-tokenalso emits a Kubernetes-format credential object. This path is set up for you bydatumctl auth update-kubeconfig; see using datumctl with kubectl.
Flags
| Flag | Description |
|---|---|
--output, -o | Output format. token (default) prints the raw access token; client.authentication.k8s.io/v1 prints a credential object for kubectl. |
--session | Look up a specific session by name instead of the active one. Used by tooling that pins each configuration to its own session. |
Where credentials are stored
datumctl splits what it stores in two places:
- Secrets (access and refresh tokens) go into your operating system keyring — Keychain on macOS, Secret Service on Linux, Credential Manager on Windows.
- Session and context metadata (which accounts exist, which is active, and each account’s last context) lives in
~/.datumctl/config.
When the OS keyring is unavailable — commonly on headless CI runners —
datumctl falls back to a file at ~/.datumctl/credentials.json, written with owner-only (0600) permissions. The fallback engages automatically; the rest of your workflow is unchanged. This file holds live tokens in plain text, so treat it as sensitive and keep it off shared or version-controlled storage.Next steps
- Logging in — the PKCE browser flow,
--no-browserdevice flow,whoami, and signing out. - Service accounts — non-interactive machine credentials for CI and automation.
- Contexts & scoping — how the active account maps to the organizations and projects your commands target.
- Using plugins — extend the CLI with commands that reuse your session through the credential helper.
- Using datumctl with kubectl — hand your active session to kubectl (existing kubectl users only).