
Log in to Thalassa Cloud from your terminal with a browser session. Short-lived tokens, OS keychain storage, and kubectl exec credentials ship in tcloud v0.20.0.
Until now, the default way to authenticate tcloud was a Personal Access Token (PAT): create one in the Console, paste it into tcloud context create, and hope it never ends up in shell history, a dotfile, or a shared screen recording. That works for automation, but it is a poor default for engineers who just want to manage clusters from a laptop.
With tcloud v0.20.0, browser-based OIDC login is the default. Run tcloud context create or tcloud context login, complete the sign-in flow in your browser, and the CLI stores the OIDC credentials securely and keeps them refreshed. No more token copy-paste of Personal Access Tokens required.
The highlights from v0.20.0 for day-to-day platform work:
| Area | What you get |
|---|---|
| Authentication | Browser OIDC with PKCE; default when no other credentials are supplied |
| Credential storage | Refresh tokens persisted in the OS keychain (macOS Keychain, Windows Credential Manager, Linux secret service) |
| Token lifecycle | Automatic access-token refresh in the background |
| Kubernetes access | tcloud kubernetes connect and kubeconfig render exec-based credentials for kubectl |
| Config hygiene | Owner-only config file permissions, secret redaction in context view, and tcloud context fix |
Personal access tokens, access tokens, and OIDC client credentials still work. Browser login is aimed at interactive use on a trusted workstation.
Install or upgrade to latest version:
# macOS
brew upgrade thalassa-cloud/tap/tcloud
# or download from GitHub releases
# https://github.com/thalassa-cloud/cli/releases/latest
Create a context and authenticate through the browser:
tcloud context create --name production
tcloud opens your default browser, runs the OIDC authorization code flow with PKCE, and binds the resulting session to the context. To re-authenticate an existing context:
tcloud context login
Verify the session:
tcloud me organisations
You can still pass --token or --client-id / --client-secret when you need a non-interactive flow. Browser login is only the default when no other credentials are provided.
Access and refresh tokens live in your OS keychain; the config file (~/.tcloud) holds context metadata such as API endpoint, organisation, and project scope.
If you migrated from an older setup, run:
tcloud context fix --migrate-credentials
Kubernetes engineers spend a lot of time switching contexts. tcloud kubernetes connect now generates kubeconfigs that use a kubectl exec credential plugin by default. When kubectl needs a token, it calls back into tcloud, which returns a fresh ExecCredential — the same pattern used by gcloud, aws eks, and other cloud CLIs.
Drop into a cluster shell with a temporary kubeconfig (removed when you exit):
tcloud kubernetes connect my-cluster
Export a kubeconfig for your usual KUBECONFIG workflow:
tcloud kubernetes kubeconfig my-cluster > ~/.kube/thalassa-my-cluster
Prefer an inline session token for tools that do not support exec plugins? Pass --inline-token to either command for the old behaviour.
tcloud context login --browser when you want to switch a context to OIDC.