Authenticate & manage tokens
knit resolves credentials in this order: KNIT_TOKEN env → OS keyring → 0600 file.
Log in
Section titled “Log in”| Environment | Command |
|---|---|
| Agent / CI (headless) | printf '%s' "$THREADS_TOKEN" | knit auth login --token-stdin |
| Ephemeral (no storage) | export KNIT_TOKEN=<token> |
| Human (browser) | knit auth login then paste the redirected URL |
Secrets are never accepted as flags — only stdin or env. See Get a Threads token to obtain one.
Check status
Section titled “Check status”knit auth status --jsonTests the token live and reports the account, expiresInDays, the credential source, the
redacted token, and remaining publishQuotaRemaining. Exits non-zero if auth is broken.
Refresh
Section titled “Refresh”Long-lived tokens last 60 days. Extend without re-login (safe on a schedule):
knit auth refreshThe token must be ≥24h old and unexpired; otherwise re-run knit auth login.
Where secrets live
Section titled “Where secrets live”- OS keyring first (macOS Keychain / Linux Secret Service / Windows Credential Manager).
0600file fallback at$XDG_DATA_HOME/knit/credentials.json;knitwarns on stderr if its permissions are looser than0600.
Log out vs revoke
Section titled “Log out vs revoke”knit auth logout # removes LOCAL credentials onlyThis does not revoke the token upstream — the Threads API has no revocation endpoint. To fully revoke, remove the app under Threads → Settings → Account → Website permissions and rotate the app secret in the Meta dashboard. See the security policy.