Skip to main content
datumctl uses OAuth 2.0 and OpenID Connect (OIDC) with PKCE for secure authentication. You do not need to manage API keys.

Getting Started

You authenticate through your browser, and datumctl stores your credentials securely in your system keyring. To get started, run the following command, which opens your browser and guides you through authentication. 
datumctl auth login
To see which users you have authenticated locally, use the list command: 
datumctl auth list
# Alias: datumctl auth ls
This will output a table showing the Name, Email, and Status (Active or blank) for each set of stored credentials. Other authentication commands include:
  • datumctl auth login
  • datumctl auth list
  • datumctl auth logout
  • datumctl auth get-token
  • datumctl auth update-kubeconfig
  • datumctl auth switch

Switching Active User

If you have logged in with multiple user accounts (visible via datumctl auth list), you can switch which account is active using the switch command: 
datumctl auth switch <user-email>
Replace <user-email> with the email address of the user you want to make active. This user must already be logged in. After switching, subsequent commands that require authentication (like datumctl organizations list or kubectl operations configured via update-kubeconfig) will use the credentials of the newly activated user.

Logging Out

To remove stored credentials, use the logout command. To logout a specific user, replace <user-email> with the email address shown in the datumctl auth list command. 
datumctl auth logout <user-email>
To remove all Datum Cloud credentials stored by datumctl in your keyring, use the following command: 
datumctl auth logout --all
Last modified on April 13, 2026