> ## Documentation Index
> Fetch the complete documentation index at: https://docs.synheart.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# 3. Authenticate the CLI

> Sign the CLI in to your Synheart platform account

Once you have a platform account, authenticate the CLI so it can install the runtime and other artifacts from the registry.

## Sign in

```bash theme={null}
synheart login
```

The CLI uses **OAuth 2.0 Device Flow**:

1. The CLI prints a URL and a one-time code.
2. Open the URL in your browser.
3. Sign in to [`platform.synheart.ai`](https://platform.synheart.ai) and confirm the code.
4. The CLI receives a token and stores it securely.

### Where credentials are stored

* **macOS**: Keychain.
* **Windows**: Credential Manager.
* **Linux**: Secret Service (libsecret-compatible). On headless or container Linux without a Secret Service daemon, the CLI falls back to an encrypted file at `~/.synheart/credentials.enc`.

## Verify

```bash theme={null}
synheart whoami
synheart auth status   # token expiry, refresh state
```

## Sign out

```bash theme={null}
synheart logout            # remove local credentials
synheart logout --revoke   # also revoke the token on the server
```

## Enterprise gateways

The CLI talks to `https://api.synheart.ai` by default, and that's the only
endpoint supported on standard builds. Pointing the CLI elsewhere requires
either an enterprise plan (which enables `SYNHEART_API_URL` so the same
binary can target your dedicated Synheart gateway) or rebuilding the CLI
from source against your own endpoint. Once `SYNHEART_API_URL` is enabled
for your account, the value is picked up by `login`, `install`, `sync`,
`whoami`, and `auth status`.

## Next

<Card title="Install the runtime" icon="download" href="/setup/install-runtime">
  Download the on-device HSI runtime that powers Synheart Core.
</Card>