Auth and profile
Use this skill before
cloud, project, resource, clone, push, or GitHub-backed work. The user must be signed in to
GitHub through the Tau CLI where that work depends on it.
Stop conditions (apply first)
Browser-based GitHub login
If login
requires the browser (no usable
, or
still sends the user to the browser):
- Tell the user they must finish GitHub authorization in the browser (the agent cannot do it for them).
- Give the exact command to run when that helps.
- Stop the workflow immediately. Do not continue with other steps, pushes, clones, or repo operations until the user confirms login finished.
- Then re-check with .
User will not authenticate
If GitHub-backed work is needed but the user will not run
(no account / first machine) or
/
(existing account) as appropriate:
stop and explain that
,
, clone, and repo registration
will fail without auth.
Policy: profile name, token, and non-interactive mode
What actually accepts (confirm with
on the installed binary):
| Flag | Short | Role |
|---|
| | Git provider token (e.g. GitHub PAT) for non-browser login when available |
| | Tau profile name |
| | Provider (default ) |
| — | Create a new profile; implied when no profiles exist |
| | Set as default profile ( / to disable) |
Usage line:
tau login [command options] <name>
— profile label may be
/ or the trailing
positional.
Globals (from
) go
before the subcommand, e.g.
tau --defaults --yes login …
, per
when automating.
There is
no separate “GitHub username” flag on
. Use
for the
Tau profile name (often the same string as the GitHub handle). Use
when you have a PAT for unattended login.
GitHub handle / profile name
- User already gave a GitHub handle (or explicit profile name): prefer
tau --defaults --yes login …
- User did not give a handle when you need it for or repo context: ask in chat before suggesting or running commands. Do not guess or invent a profile name.
Token vs browser
- With a valid , a browser step is usually unnecessary.
- Without , expect browser GitHub sign-in → Stop conditions above.
Workflow
1. Check current context
2. If profile is missing or there is no Tau account yet
Standard path:
with GitHub (not optional for first account). Apply
Policy and
Stop conditions before choosing flags.
Example (explicit provider and profile name):
bash
tau login --new --provider github --name <profile_name>
- If the user should only attach or switch an existing account: or (positional profile per ).
- If you are automating and have a handle plus PAT:
tau --defaults --yes login …
If this path
does not use
, treat it as
browser OAuth →
Stop conditions: inform the user,
stop, resume only after they confirm, then go to step 3.
3. After the user confirms login (including any browser step)
Do not treat login as complete until the user has confirmed and this check shows a valid profile as expected.
Named profile and switching
Creating a named profile uses the same
tau login --new … --name <profile_name>
pattern as in step 2.
bash
tau login --new --provider github --name <profile_name>
Switching default / context to an existing profile:
Apply the same Policy and Stop conditions as for the first-time flow.
Quick verify
Use after login and whenever you need to confirm which profile is active.