tl login opens a browser, authenticates your account, and stores a local CLI token. After that, tl git commands mint the short-lived credentials they need automatically.
You only handle a Git credential yourself when you use plain git, CI, or another HTTP client.
How Authentication Fits Together
There are two layers:
Your CLI/API credential is not sent to Git. Tensorlake uses it to mint a Git credential, then Git clients and mounts use that Git credential against the repository service.
How Git Credentials Work
When a command needs repository access:- The CLI authenticates to Tensorlake with your local CLI token, API key, or PAT.
- Tensorlake checks the current project and authorized principal.
- Tensorlake mints a short-lived Git credential for that principal.
- The Git service verifies the credential’s signature, project, repo pattern, expiration, revocation status, and scopes on each request.
Most CLI paths mint a repo-scoped credential. That keeps clone, push, snapshot, and promotion operations narrow to the repository they are working on.
Mint a Git Credential
t. The password is the token.
Use It With Git
- Credential store
- Embed in URL
Cache the credential with Git’s credential helper:Git remembers the credential for later commands against the same remote.
Scopes
Every credential carries one or more scopes:tl git token --repo <repo> mints git:read and git:write for that repository only. It is enough to clone, push, snapshot, and promote. It cannot create, delete, or list other repositories.
Repo-scoped credentials cannot create repositories, delete repositories, manage keys, or revoke tokens.
Token Lifetime
Git credentials are short-lived by design. The default lifetime is one hour. When a token expires, mint a new one:tl git mounts handle this automatically. The CLI caches fresh Git credentials for later commands and a running mount daemon rotates its credential before expiry.
For the full plain Git workflow, see Use with Git.
Git Repositories
Mint a credential, clone, branch, commit, merge, and push.
Platform Authentication
API keys, personal access tokens, SSO, and broader Tensorlake API authentication.