Authentication

Authenticate your requests using Basic Auth, Bearer tokens, API keys, or OAuth 2.0.

Basic Auth

Username & Password

Use -u / --auth to send HTTP Basic Authentication credentials. The value is automatically Base64-encoded and sent as an Authorization header.

# Using -u (short form)

tgrs GET https://api.example.com/admin -u admin:secret123

# Using --auth (long form)

tgrs GET https://api.example.com/admin --auth admin:secret123

This sends the header: Authorization: Basic YWRtaW46c2VjcmV0MTIz

Bearer Token

Bearer Authentication

Use -B / --bearer to send a Bearer token. This is the most common authentication method for modern APIs.

# Using -B (short form)

tgrs GET https://api.example.com/me \

-B eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0

# Using --bearer (long form)

tgrs GET https://api.example.com/me \

--bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0

This sends the header: Authorization: Bearer eyJhbGci...

Tip: You can also set the Bearer token manually with -H "Authorization: Bearer your-token"— the --bearer flag is a convenient shortcut.

API Key

API Key as Query Parameter

Use -K / --api-key-query to add an API key as a query parameter. This is useful for APIs that expect the key in the URL.

# API key as query parameter

tgrs GET https://api.example.com/data \

--api-key-query "api_key=your-api-key-here"

The request URL becomes: https://api.example.com/data?api_key=your-api-key-here

API Key as Header

For APIs that expect the key in a header, use the standard -H flag.

# API key in X-Api-Key header

tgrs GET https://api.example.com/data \

-H "X-Api-Key: your-api-key-here"

# API key in custom header

tgrs GET https://api.example.com/data \

-H "X-Auth-Token: your-token"

OAuth 2.0

OAuth 2.0 Overview

tgrs supports three OAuth 2.0 flows. Use the --oauth2 flag with the format: flow:token_url:client_id[:client_secret]

authorization_codeBrowser-based login with redirect callback

client_credentialsServer-to-server authentication

passwordResource owner password credentials

Client Credentials Flow

The simplest flow — authenticate with a client ID and secret to get an access token.

tgrs GET https://api.example.com/data \

--oauth2 "client_credentials:https://auth.example.com/token:my-client-id:my-client-secret"

Authorization Code Flow

Opens a browser for login and captures the token via a local callback server. Supports PKCE for public clients (no client secret required).

tgrs GET https://api.example.com/data \

--oauth2 "authorization_code:https://auth.example.com/token:my-client-id:my-client-secret" \

--oauth2-auth-url "https://auth.example.com/authorize" \

--oauth2-scope "read write"

Password Flow

Authenticate with username and password.

tgrs GET https://api.example.com/data \

--oauth2 "password:https://auth.example.com/token:my-client-id:my-client-secret" \

--oauth2-username "john" \

--oauth2-password "secret"

OAuth 2.0 Additional Options

Flag	Description
--oauth2-scope	OAuth scope (e.g., "read write")
--oauth2-auth-url	Authorization URL (for authorization_code flow)
--oauth2-username	Username (for password flow)
--oauth2-password	Password (for password flow)
--oauth2-port	Callback port for auth code flow (default: 8484)

Note: The authorization_code flow without a client secret automatically uses PKCE (Proof Key for Code Exchange) for enhanced security.

Quick Reference

Authentication Flags

Flag	Alias	Description
-u	--auth	Basic auth (user:pass)
-B	--bearer	Bearer token
-K	--api-key-query	API key as query param
--oauth2		OAuth 2.0 (flow:token_url:client_id[:secret])

Command Reference Dynamic Variables