tl login opens a browser, authenticates your account, and stores a local CLI token. After that, tl git and tl fs commands mint the short-lived credentials they need automatically.
You only handle a Git credential yourself when you use plain git, CI, or another HTTP client.
How Authentication Fits Together
There are two layers:| Layer | What it is | Used by |
|---|---|---|
| Tensorlake CLI/API auth | Your account, API key, or personal access token. This authorizes calls to Tensorlake. | tl login, tl git, tl fs, API clients |
| Git credential | A short-lived credential minted for repository access. This authorizes Git-backed file system operations. | git clone, git push, SDK calls, tl fs mounts |
How Git Credentials Work
When a command needs repository access:- The CLI authenticates to Tensorlake with your local CLI token, API key, or PAT.
- Tensorlake checks the current project and authorized principal.
- Tensorlake mints a short-lived Git credential for that principal.
- The Git service verifies the credential’s signature, project, repo pattern, expiration, revocation status, and scopes on each request.
| Field | Meaning |
|---|---|
gitUsername | The Git username. It is always t. |
token | The password Git sends with HTTP Basic auth. |
expiresAt | When the credential stops working. |
repoPattern | The repository or repository pattern the credential can access. |
scopes | The operations the credential can perform. |
Mint a Git Credential
t. The password is the token.
Use It With Git
- Credential store
- Embed in URL
Cache the credential with Git’s credential helper:Git remembers the credential for later commands against the same remote.
Scopes
Every credential carries one or more scopes:| Scope | Grants |
|---|---|
git:read | Clone, fetch, and read-only mount |
git:write | Push, snapshot, and promote. Implies git:read. |
repo:write | Create, fork, delete, archive, and restore repositories |
project:read | List and read every repository in the project. Implies git:read. |
project:admin | Project administration, workspace fleet management, quotas, and operation history. Implies project:read and git:read. |
tl git token --repo <repo> mints git:read and git:write for that repository only. It is enough to clone, push, snapshot, and promote. It cannot create, delete, or list other repositories.
Repo-scoped credentials cannot create repositories, delete repositories, manage keys, or revoke tokens.
Token Lifetime
Git credentials are short-lived by design. The default lifetime is one hour. When a token expires, mint a new one:tl fs handles this automatically. It caches fresh Git credentials for later commands and a running mount daemon rotates its credential before expiry.
For the full plain Git workflow, see Git Repositories.
Git Repositories
Mint a credential, clone, branch, commit, merge, and push.
Platform Authentication
API keys, personal access tokens, SSO, and broader Tensorlake API authentication.