Adding Clerk auth to your CLI

CLI authentication often encounters issues when users paste API keys into config files or when developers create long-lived tokens that fail to expire, prompting a shift towards a more secure method as seen with platforms like Vercel and GitHub. This approach involves using OAuth 2.0 with Proof Key for Code Exchange (PKCE) and a localhost callback, enabling users to authenticate via a browser and maintain the session in the OS keychain. Developer Erik Steiger highlighted a documentation gap in Clerk's guides, which this post aims to fill by detailing the flow and providing a TypeScript implementation for developers to adapt. The post contrasts two authentication flows—localhost callback and device authorization grant—each suitable for different CLI environments, and underscores the importance of not hardcoding callback ports and ensuring a fallback for environments lacking a keychain. While the example covers user auth using the localhost callback, it acknowledges the need for more nuanced solutions for token refresh and revocation, and device flow for headless environments, suggesting that future implementations should be more streamlined.