Browser OIDC login for tcloud CLI

Log in to Thalassa Cloud from your terminal with a browser session. Short-lived tokens, OS keychain storage, and kubectl exec credentials ship in tcloud v0.20.0.

2026-07-07
Thalassa Cloud
3 min read

Until now, the default way to authenticate tcloud was a Personal Access Token (PAT): create one in the Console, paste it into tcloud context create, and hope it never ends up in shell history, a dotfile, or a shared screen recording. That works for automation, but it is a poor default for engineers who just want to manage clusters from a laptop.

With tcloud v0.20.0, browser-based OIDC login is the default. Run tcloud context create or tcloud context login, complete the sign-in flow in your browser, and the CLI stores the OIDC credentials securely and keeps them refreshed. No more token copy-paste of Personal Access Tokens required.

What changed

The highlights from v0.20.0 for day-to-day platform work:

AreaWhat you get
AuthenticationBrowser OIDC with PKCE; default when no other credentials are supplied
Credential storageRefresh tokens persisted in the OS keychain (macOS Keychain, Windows Credential Manager, Linux secret service)
Token lifecycleAutomatic access-token refresh in the background
Kubernetes accesstcloud kubernetes connect and kubeconfig render exec-based credentials for kubectl
Config hygieneOwner-only config file permissions, secret redaction in context view, and tcloud context fix

Personal access tokens, access tokens, and OIDC client credentials still work. Browser login is aimed at interactive use on a trusted workstation.

Log in from the terminal

Install or upgrade to latest version:

# macOS
brew upgrade thalassa-cloud/tap/tcloud

# or download from GitHub releases
# https://github.com/thalassa-cloud/cli/releases/latest

Create a context and authenticate through the browser:

tcloud context create --name production

tcloud opens your default browser, runs the OIDC authorization code flow with PKCE, and binds the resulting session to the context. To re-authenticate an existing context:

tcloud context login

Verify the session:

tcloud me organisations

You can still pass --token or --client-id / --client-secret when you need a non-interactive flow. Browser login is only the default when no other credentials are provided.

Credentials stay out of your config file

Access and refresh tokens live in your OS keychain; the config file (~/.tcloud) holds context metadata such as API endpoint, organisation, and project scope.

If you migrated from an older setup, run:

tcloud context fix --migrate-credentials

kubectl without long-lived kubeconfig tokens

Kubernetes engineers spend a lot of time switching contexts. tcloud kubernetes connect now generates kubeconfigs that use a kubectl exec credential plugin by default. When kubectl needs a token, it calls back into tcloud, which returns a fresh ExecCredential — the same pattern used by gcloud, aws eks, and other cloud CLIs.

Drop into a cluster shell with a temporary kubeconfig (removed when you exit):

tcloud kubernetes connect my-cluster

Export a kubeconfig for your usual KUBECONFIG workflow:

tcloud kubernetes kubeconfig my-cluster > ~/.kube/thalassa-my-cluster

Prefer an inline session token for tools that do not support exec plugins? Pass --inline-token to either command for the old behaviour.

Upgrade notes

  • Existing PAT-based contexts continue to work. Re-run tcloud context login --browser when you want to switch a context to OIDC.

Related posts