Loading image...Kiro
  • CLI
  • Web
  • Powers
  • Enterprise
  • Pricing
  • Docs
SIGN INDOWNLOADS
Loading image...Kiro
Loading image...Kiro
Product
  • About Kiro
  • CLI
  • Web
  • Powers
  • Pricing
  • Downloads
For
  • Enterprise
  • Startups
  • Students
Community
  • Overview
  • Ambassadors
  • Showcase
  • Discord
  • Events
Resources
  • Documentation
  • Blog
  • Changelog
  • FAQs
  • Report a bug
  • Suggest an idea
  • Billing support
Social
Site TermsLicenseResponsible AI PolicyLegalPrivacy PolicyCookie Preferences
  1. Docs
  3. CLI
  5. Authentication

Authentication methods

Kiro supports the following authentication providers:

  • GitHub: Seamless integration with your GitHub account
  • Google: Sign in with your Google credentials
  • AWS Builder ID: Quick setup for individual developers
  • AWS IAM Identity Center: Enterprise-grade authentication
  • External identity provider: Connect through your organization's identity provider such as Microsoft Entra ID or Okta
Info

Users that have a paid Kiro subscription and access it through a social login provider (like GitHub or Google) or through AWS Builder ID are considered individual subscribers. We may use certain content from Kiro Free Tier and Kiro individual subscribers for service improvement. For more information on service improvement and how to opt out, see Service improvement.

Sign in to Kiro CLI

  1. At the command line, enter kiro-cli or kiro-cli login. You'll be prompted to press Enter to complete sign-in in your browser.
  2. In your browser, choose the organization or system through which you will authenticate:
    • Google
    • GitHub
    • Builder ID
    • Your organization — including AWS GovCloud (US)
  3. After you authenticate, you'll receive a message in your browser, directing you back to your terminal.
  4. When you return to your terminal, you should be signed in with the Kiro CLI.
Info

Individual login methods such as GitHub, Google, and AWS Builder ID are not available in AWS GovCloud (US) regions.

Users know they will be using Kiro with AWS GovCloud (US) by ensuring the Start URL used during authentication contains "us-gov-home", for example: https://start.us-gov-home.awsapps.com/directory/d-XXXXXXXXXX

Kiro uses the same download/installer for both commercial and AWS GovCloud (US) regions. IAM Identity Center authentication automatically routes traffic to the appropriate AWS GovCloud (US) region. Kiro IDE version 0.9.2+ and Kiro CLI version 1.25.0+ are required for AWS GovCloud (US) regions support.

Sign in from a remote machine

When running Kiro CLI on a remote machine (via SSH, SSM, containers, etc.), authentication works differently since the remote machine cannot open a browser.

Device flow

Builder ID, IAM Identity Center, Google, and GitHub support device flow authentication in remote environments. The CLI displays a URL and a one-time code that you enter in any browser, no port forwarding required.

Info

External identity provider (IdP) login is not currently supported with device flow authentication. The team is working on adding support for this.

  1. Run kiro-cli login and select your sign-in method (for example, Use with Builder ID, Use with Google, Use with GitHub, or Use with Your Organization)
  2. The CLI displays a URL and a one-time code
  3. Open the URL in any browser (on your local machine, phone, or another device)
  4. Enter the code and complete authentication
  5. The CLI detects the successful login automatically

No port forwarding or tunnel setup required.

Authenticate with an API key (headless mode)

For CI/CD pipelines and automation scripts, you can authenticate using an API key instead of interactive sign-in.

Generate an API key

Info

API key based authentication is only available for Kiro Pro, Pro+, and Power subscribers. If you are using a subscription managed by an administrator, your Kiro admin needs to enable API key authentication first. See API key governance.

  1. Sign in to app.kiro.dev with your Kiro Pro, Pro+, or Power account.
  2. Navigate to the API Keys section.
  3. Create a new API key and copy it. The full key value is only shown at creation time. Set a meaningful name to remember the context of the key.
Warning

API keys are long-lived credentials. Store them securely and rotate them according to your organization's credential policy. If a key is compromised, revoke it immediately in the Kiro web console.

Use the API key

Set the KIRO_API_KEY environment variable and run Kiro CLI in non-interactive mode:

bash
export KIRO_API_KEY=ksk_xxxxxxxx
kiro-cli chat --no-interactive "your prompt here"

On Windows:

powershell
$env:KIRO_API_KEY = "ksk_xxxxxxxx"
kiro-cli chat --no-interactive "your prompt here"

API key authentication supports all Kiro CLI features available in non-interactive mode. For interactive sessions, use browser-based sign-in instead.

For CI/CD pipelines, automation scripts, and detailed headless usage, see Headless mode.

Authentication precedence

When multiple credentials are available, Kiro CLI uses this precedence order:

  1. Active browser session (from kiro-cli login)
  2. KIRO_API_KEY environment variable
  3. No credentials — CLI prompts you to sign in

To check which authentication method is active, run kiro-cli whoami.

Credits consumed using the API key are decremented from your subscription credits.

Sign out of Kiro CLI

To sign out of Kiro CLI

  1. At the command line, enter kiro-cli logout.

Troubleshooting authentication issues

If you encounter problems during the authentication process, such as browser redirect failures or sign-in errors, check our troubleshooting guide for platform-specific solutions and common fixes.

Next steps

  • Review FAQ
  • Explore Chat features
  • Get started with Kiro CLI
Page updated: April 29, 2026
Installation
Models