Authentication
proDevice-auth and API-key flows for linking a device to a Pro team.
Pro devices authenticate to the team via one of two flows: device-auth (best for interactive sessions, opens a browser) or API key (for headless installs).
Device-auth (interactive)
grith pro login
What happens:
- grith generates a one-time device code.
- Browser opens
grith.ai/devicewith the code pre-filled. - You sign in to grith.ai (if not already) and approve the device.
- grith receives a long-lived token, stores it at
~/.config/grith/licenses/<team-id>.signed(perms0600). - License is now active;
grith pro statusconfirms.
The token is bound to this device and this team. Logging in to a different team
adds a second token; both stay valid until explicit grith pro logout.
API key (headless)
For unattended installs — CI runners, Docker images, kiosk devices:
grith pro login --api-key <KEY>
Get an API key from the dashboard: Settings → API keys → New key. The key is shown once at creation; copy it then. Each key can be scoped to a single device or a class of devices.
API keys can be rotated or revoked from the dashboard without losing other devices' access.
Verifying
grith pro status
Shows: team, plan, license expiry, seats used, last refresh.
Common issues
"Not enrolled" after login
The license refresh hasn't completed. Wait 30 seconds, retry. If persistent, check network connectivity to grith.ai:
curl https://grith.ai/health
"Invalid signature" on license
The license file is corrupted or has been tampered with. Remove and re-login:
rm ~/.config/grith/licenses/*.signed
grith pro login
Multiple teams on one device
Supported. Each grith pro login adds a license file. grith pro status shows
which is active; switch with:
grith config set general.active_team <team-id>
Logout
grith pro logout
Removes the local license cache and authentication state. Pro features lock out; community features unaffected. The device remains in the team's seat list on the dashboard until the team admin explicitly revokes (cleaner audit trail).