workit supports a headless OAuth flow designed for AI agents and automation. The CLI binds to 0.0.0.0, detects and displays your outbound IP, and auto-closes after authentication completes — no localhost tunnels or manual port-forwarding required.
wk auth manage→ binds local HTTP server to0.0.0.0:8085, prints your outbound IP so you can open the URL from any device- User completes OAuth → Google redirects to
auth.automagik.dev(the default callback server — no GCP client needed for most users) - Callback server stores token → Token held temporarily (15-minute TTL)
- CLI polls for token → Retrieves and stores in keychain, then auto-closes the local server
┌─────────┐ ┌──────────┐ ┌─────────────────────┐ ┌────────┐
│ CLI │────▶│ Google │────▶│ auth.automagik.dev │────▶│ CLI │
│ (agent) │ │ OAuth │ │ (callback server) │ │ (poll) │
└─────────┘ └──────────┘ └─────────────────────┘ └────────┘
│ │ │ │
│ auth URL │ │ │
└──────────────▶│ user login │ │
│────────────────────▶│ store token │
│ │◀─────────────────────│
│ │ GET /token/xxx │
│ │─────────────────────▶│
│ │ {refresh_token} │
│ │◀─────────────────────│
wk auth manageThis is the recommended entry point for all auth flows. It:
- Binds to
0.0.0.0:8085(accessible from any device on the same network or via public IP) - Displays your outbound IP so you know which URL to open
- Uses
auth.automagik.devas the default callback server (no GCP client needed for most users) - Auto-closes the local server once authentication completes
For fully automated or agent-driven environments where you want to capture the auth URL programmatically:
wk auth manage --print-urlOutput:
{"url":"http://203.0.113.42:8085","port":8085}Your agent can open this URL or present it to the user, then poll for completion.
# Standard OAuth — opens browser automatically (interactive environments)
wk auth add you@gmail.com --services=user
# Headless: generate auth URL without opening browser
wk auth add you@gmail.com --headless --services=user# Just output the URL, don't poll (for async workflows)
wk auth add you@gmail.com --headless --no-poll --services=user
# Later, poll manually:
wk auth poll abc123xyzwk auth add you@gmail.com --headless --json
# Output:
{
"auth_url": "https://accounts.google.com/o/oauth2/v2/auth?...",
"state": "abc123xyz",
"poll_url": "https://auth.automagik.dev/token/abc123xyz",
"expires_in": 300
}auth.automagik.dev is the default callback server — most users do not need to configure anything. The callback server URL can be overridden in order of precedence:
- Flag:
--callback-server=https://your-server.example.com - Environment:
WK_CALLBACK_SERVER=https://your-server.example.com - Build-time default: Compiled into binary with
-ldflags
For headless mode, OAuth credentials are resolved in order:
- File:
~/.config/workit/credentials.json(standard flow) - Build-time defaults: Compiled into binary with
-ldflags - Environment:
WK_CLIENT_IDandWK_CLIENT_SECRET
Set the callback server URL or rely on the default:
export WK_CALLBACK_SERVER=https://auth.automagik.devThe user didn't complete authentication within the timeout (default 5 minutes). Try again with a longer timeout:
wk auth add you@gmail.com --headless --poll-timeout=10mThe token was already polled and consumed. Each auth flow produces a single-use token. Start a new auth flow.
The user signed in with a different email than specified. Ensure the correct Google account is used.
- State parameter: Prevents CSRF attacks by binding the auth flow to a specific session
- Token TTL: Tokens expire from the callback server after 15 minutes
- Single use: Tokens are consumed on first retrieval
- HTTPS: Always use HTTPS for the callback server in production
- Outbound IP binding:
wk auth managebinds to0.0.0.0and shows your outbound IP — ensure firewall rules are appropriate for your environment
To set up your own callback server instead of auth.automagik.dev, see the BYO GCP section in auth.md.