Your company here — click to reach over 10,000 unique daily visitors

oidc-agent - Man Page

OIDC token agent


oidc-agent [OPTION...]


oidc-agent -- An agent to manage oidc token


--always-allow-idtoken Always allow id-token requests without manual

approval by the user.

-a,  --socket-path=PATH, --bind_address=PATH

Create the UNIX-domain used for communicating with the agent at this PATH. The default is '$TMPDIR/oidc-XXXXXX/oidc-agent.<ppid>'. Use 'XXXXXX' as the last six characters of a directory in the path to substitute them with random characters.

-c,  --confirm

Requires user confirmation when an application requests an access token for any loaded configuration


Print agent socket and pid as JSON instead of bash.

-k,  --kill

Kill the current agent (given by the OIDCD_PID environment variable)


Disables the autoload feature: A token request cannot load the needed configuration. You have to do it with oidc-add.

--no-autoreauthenticate,  --no-auto-reauthenticate

Disables the automatic re-authentication feature: If a refresh token expired the re-atuhentiacte is not started automatically; you have to do it manually.


This option applies only when the authorization code flow is used. oidc-agent will not use a custom uri scheme redirect.


This option applies only when the authorization code flow is used. oidc-agent will not start a webserver. Redirection to oidc-gen through a custom uri scheme redirect uri and 'manual' redirect is possible.


Disable informational messages to stdout.

-t,  --lifetime=TIME

Sets a default value in seconds for the maximum lifetime of account configurations added to the agent. A lifetime specified for an account configuration with oidc-add overwrites this default value. Without this option the default maximum lifetime is forever.


This option allows that applications running under another user can access the agent. The user running the other application and the user running the agent have to be in the specified group. If no GROUP_NAME is specified the default is 'oidc-agent'.


-d,  --console

Runs oidc-agent on the console, without daemonizing.

-g,  --debug

Sets the log level to DEBUG.


Additionally prints log messages to stderr.


Connects to the currently running agent and prints status information about it.


-?,  --help

Give this help list


Give a short usage message

-V,  --version

Print program version

Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.



UNIX-domain sockets used to contain the connection to the agent.



Starts oidc-agent and prints the commands needed for setting the required environment variables.

eval `oidc-agent`

Starts oidc-agent and sets the required environment variables (only for this shell).

oidc-agent > ~/tmp/oidc-agent.env

Starts oidc-agent and exports the needed shell commands to ~/tmp/oidc-agent.env Can be used to persist the agent.

Reporting Bugs

Report bugs to <https://github.com/indigo-dc/oidc-agent/issues>
Subscribe to our mailing list to receive important updates about oidc-agent: <https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user>.

See Also

oidc-gen(1), oidc-add(1), oidc-token(1), oidc-keychain(1)

Low-traffic mailing list with updates such as critical security incidents and new releases: https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user

Full documentation can be found at https://indigo-dc.gitbooks.io/oidc-agent/user/oidc-agent

Referenced By

oidc-add(1), oidc-agent-service(1), oidc-gen(1), oidc-keychain(1), oidc-prompt(1), oidc-token(1).

January 2024 oidc-agent 5.1.0