Is this Auth0 authentication method secure for a CLI

Question

I have an API that's protected by Auth0.

I want my users to have CLI access to this API as well. I was considering using the one-time password flow initially when the developer signs in to the CLI to request a refresh token, and then persist this on the disk for future use.

But this just feels wrong. Is there any other more secure approach?

The CLI might be used on build servers etc, so I guess it has to be a permanent token that lasts forever.

While we're at it, what do other APIs do, for instance GitHub when I request a Personal Access Token? Is that the same?

Answer 1

Did you check this? https://auth0.com/docs/flows/guides/device-auth/call-api-device-auth.

By using this flow on a CLI the user will login interactively through a browser and then will enter a code in the CLI. This will give you back an access token and a refresh token. You could use the refresh token in your CI process to obtain new tokens on every build (or whenever the AT expired).