Agent Authentication
jackin’ forwards your host login for each supported agent into the container automatically. Log in once on the host; every container launch picks up the same account.
Every agent supports the same set of authentication modes. The default is sync — your host login is forwarded as-is.
| Mode | Behavior |
|---|---|
sync (default) | Copy host credentials into the container on each launch. When host auth is absent, preserve any existing container auth. |
api_key | Inject an API-key env var from your operator env vars. No credential files are written. |
oauth_token | Inject an OAuth token from your operator env vars. Claude Code only — other agents reject this mode. |
ignore | Never forward host auth. Revoke any previously forwarded credentials. |
Which modes are available per agent, and which env vars or credential files are involved, is documented on each agent’s page:
- Claude Code —
sync,api_key,oauth_token,ignore - Codex —
sync,api_key,ignore - Amp —
sync,api_key,ignore - OpenCode —
sync,api_key,ignore
How sync works
Section titled “How sync works”sync is the default for every agent. The flow is the same regardless of which agent you use:
- Log in on the host. Use the agent’s own
logincommand to establish credentials on your host machine. - Launch the container. jackin’ copies the host credentials into the container on every launch.
- Agent runs authenticated. The agent inside the container sees the same account, subscription, and model access you have on the host.
When the host’s credentials are missing (e.g. you logged out), sync preserves the container’s existing auth rather than wiping it. This prevents accidental de-authentication from a missing file.
Scopes
Section titled “Scopes”Each agent’s mode is resolved at three scopes, most-specific wins:
per-(workspace × role × agent) > per-workspace > global > sync
Global default
Section titled “Global default”jackin config auth set syncjackin config auth set api_key --agent codexjackin config auth set sync --agent ampjackin config auth set sync --agent opencodeWithout --agent, config auth set targets Claude Code. jackin config auth show prints the current global modes for all agents.
Per workspace and per (workspace × role × agent)
Section titled “Per workspace and per (workspace × role × agent)”Open jackin console, select the workspace, switch to the Auth tab. The tab shows global defaults (read-only), workspace defaults for each agent, and any per-role overrides. Editing a row opens the auth-edit form with a mode picker and a credential picker (for modes that need one).
Multi-agent roles
Section titled “Multi-agent roles”For roles that support more than one agent, jackin provisions credentials for every supported agent at launch time — not just the one you selected for the initial session. You can start a second agent inside the same running container with jackin hardline --new --agent codex and it will not ask you to log in.
The secondary agent’s credentials were already placed in the container when Claude Code, Codex, Amp, or OpenCode launched the first session. For the full workflow, see Parallel Agents.
Each agent’s auth mode is evaluated independently. A role can use sync for Claude and ignore for Codex in the same workspace — jackin provisions each agent’s credential directory according to that agent’s resolved mode.
Launch-time validation
Section titled “Launch-time validation”When jackin’ resolves auth_forward for a launch, it verifies that any mode requiring a credential has one available in your env vars. If the credential is missing, the launch fails with an error that:
- shows which scope chose which mode for
Claude,Codex,Amp, andOpenCode, and - shows which scopes were checked for the missing env var.
That makes it obvious whether the right mode is in effect and whether the credential is missing entirely or just set at the wrong scope.
Troubleshooting
Section titled “Troubleshooting”Agent shows “Not logged in” after forwarding
Section titled “Agent shows “Not logged in” after forwarding”If the agent shows “Not logged in” or falls back to a different model tier (e.g. Sonnet instead of Opus), the credentials may not have been forwarded. Check:
- What mode is effective? Open the Auth tab in
jackin consolefor that workspace, and look at the effective mode for the (role × agent) cell. - Does the host have credentials? For
Claudeon macOS, checksecurity find-generic-password -s "Claude Code-credentials" -w. On Linux, check~/.claude/.credentials.json. ForCodex, check~/.codex/auth.json. ForAmp, check~/.local/share/amp/secrets.json(the file the Amp CLI writes theapiKey@https://ampcode.com/token into; the XDG_CONFIG file~/.config/amp/settings.jsonis preferences only and never holds the token). ForOpenCode, check~/.local/share/opencode/auth.json(the file the OpenCode CLI writes provider credentials into — for example, the Z.AI Coding Plan API key). - Is this a pre-existing container? In
syncmode, host credentials are forwarded on every launch — but if the host has no credentials, the container’s existing auth is preserved. If the container has stale auth and the host has fresh auth, restart the container (jackin eject <role> && jackin load <role>) or purge state (jackin purge <role>) to force a fresh sync.
Revoking forwarded credentials
Section titled “Revoking forwarded credentials”To stop forwarding and clear existing credentials, set the (workspace × role × agent) cell to ignore in the Auth tab and reload the agent:
jackin load <role> # next launch will reset to {}Or purge all state:
jackin purge <role>See also
Section titled “See also”- Authentication overview — the shared modes / scopes / defaults pattern jackin’ applies across every auth axis.
- GitHub CLI Authentication — parallel flow for the in-container
gh/git pushtoolchain. - Environment Variables — how the operator env-vars model supplies credentials for
api_keyandoauth_tokenmodes.