tb_sys_auth_profile
Auth and profile
Use this skill before cloud, project, resource, clone, push, or GitHub-backed tau work. The user must be signed in to GitHub through the Tau CLI where that work depends on it.
Stop conditions (apply first)
Browser-based GitHub login
If login requires the browser (no usable --token, or tau still sends the user to the browser):
- Tell the user they must finish GitHub authorization in the browser (the agent cannot do it for them).
- Give the exact
tau login …command to run when that helps. - Stop the workflow immediately. Do not continue with other
tausteps, pushes, clones, or repo operations until the user confirms login finished. - Then re-check with
tau --json current.
User will not authenticate
If GitHub-backed work is needed but the user will not run tau login --new (no account / first machine) or tau login / tau login <profile_name> (existing account) as appropriate: stop and explain that tau new project, tau push, clone, and repo registration will fail without auth.
Policy: profile name, token, and non-interactive mode
What tau login actually accepts (confirm with tau login --help on the installed binary):
| Flag | Short | Role |
|---|---|---|
--token |
-t |
Git provider token (e.g. GitHub PAT) for non-browser login when available |
--name |
-n |
Tau profile name |
--provider |
-p |
Provider (default github) |
--new |
— | Create a new profile; implied when no profiles exist |
--set-default |
-d |
Set as default profile (--no-set-default / --no-d to disable) |
Usage line: tau login [command options] <name> — profile label may be --name / -n or the trailing <name> positional.
Globals (from tau --help) go before the subcommand, e.g. tau --defaults --yes login …, per tb_sys_execution_modes when automating.
There is no separate “GitHub username” flag on login. Use --name for the Tau profile name (often the same string as the GitHub handle). Use --token when you have a PAT for unattended login.
GitHub handle / profile name
- User already gave a GitHub handle (or explicit profile name): prefer
tau --defaults --yes login …where applicable; set--nameto the name they asked for, or their handle as<profile_name>if they did not specify otherwise; add--tokenwhen a token is available. Do not re-prompt unless unclear or wrong. - User did not give a handle when you need it for
--nameor repo context: ask in chat before suggesting or running commands. Do not guess or invent a profile name.
Token vs browser
- With a valid
--token, a browser step is usually unnecessary. - Without
--token, expect browser GitHub sign-in → Stop conditions above.
Workflow
1. Check current context
tau --json current
2. If profile is missing or there is no Tau account yet
Standard path: tau login --new with GitHub (not optional for first account). Apply Policy and Stop conditions before choosing flags.
Example (explicit provider and profile name):
tau login --new --provider github --name <profile_name>
- If the user should only attach or switch an existing account:
tau loginortau login <profile_name>(positional profile pertau login --help). - If you are automating and have a handle plus PAT:
tau --defaults --yes login …with--tokenand--nameas documented in help.
If this path does not use --token, treat it as browser OAuth → Stop conditions: inform the user, stop, resume only after they confirm, then go to step 3.
3. After the user confirms login (including any browser step)
tau --json current
Do not treat login as complete until the user has confirmed and this check shows a valid profile as expected.
Named profile and switching
Creating a named profile uses the same tau login --new … --name <profile_name> pattern as in step 2.
tau login --new --provider github --name <profile_name>
Switching default / context to an existing profile:
tau login <profile_name>
Apply the same Policy and Stop conditions as for the first-time flow.
Quick verify
tau --json current
Use after login and whenever you need to confirm which profile is active.
More from taubyte/skills
verifying-taubyte-functions
Verifies a Taubyte Go function locally via the `taubyte/go-wasi` Docker recipe (preferred over `tau build`, with tmpfs+bind-mount-ro to avoid root-owned artifacts in the source tree), and verifies a function actually serves on Dream by curling the gateway with the right `Host:` header (plus `/etc/hosts` mapping for `*.localtau`). Use when locally compiling a Go function to WASM, when smoke-testing a function before pushing, or when probing a Dream-hosted HTTP function from the laptop.
12creating-taubyte-resources
Creates Taubyte resources non-interactively via `tau new` for domain, website, library, function, application, database, storage, messaging, and service. Encodes the project-vs-application scope rule, the database `min < max` constraint, the website/library `--generate-repository` + import sequence, and the forbidden `--generated-fqdn-prefix` flag. Use when adding any resource to a Taubyte project's config repo.
12diagnosing-dream-builds
Diagnoses Dream local-cloud builds when `tau list/query builds` is empty or unreliable, by hitting the jobs HTTP endpoint directly (`GET /jobs/<project_id>`, `GET /job/<job_id>`) using the GitHub token from `~/tau.yaml`, then downloading logs with `tau query logs --jid`. Use when Dream builds appear silent, the build table is empty after `dream inject`, or you need raw job ids and logs for a failing build.
11taubyte-resource-creation
Scope-aware resource creation workflow. Uses non-interactive mode by default and references the shared flags catalog.
11taubyte-push-build-verify
Pushes config/code and verifies builds/logs. Includes website/library push handling with tau command first, git fallback.
11taubyte-scope-routing
Routes project-level vs application-scoped work; defaults to a website when a browser UI is logically appropriate; avoids unnecessary applications for simple website/function-only tasks unless needed.
11