Skipper

Appearance

Authentication

Skipper uses browser-based authentication for both the web console and the CLI. The identity provider is Dex, deployed automatically during installation.

CLI authentication

Before using commands that interact with the console API (like kip app rebuild or kip service bind), authenticate with your cluster:

bash
kip auth login
  Logging in to happysrv...

  Opening browser for authentication...

Your browser opens the Dex login page. After signing in, you'll see a confirmation page and the terminal shows:

  ✔  Authenticated as admin@203-0-113-10.kipper.run

How it works

  1. The CLI starts a temporary local HTTP server on localhost:18741
  2. Your browser opens the Dex authorization page at dex-{cluster-domain}.kipper.run
  3. You sign in with your Skipper credentials (the same ones you use for the web console)
  4. Dex redirects back to the local server with an authorization code
  5. The CLI exchanges the code directly with Dex for an ID token and refresh token
  6. Tokens are stored in ~/.kip/auth.json (per cluster)

TIP

When you set a custom domain with kip cluster domain, the Dex URL is automatically updated to match (e.g. dex-skipper-labb-tools.kipper.run). No manual configuration needed.

Token lifetime

  • ID tokens expire after 24 hours
  • Refresh tokens remain valid for 30 days of inactivity
  • The CLI refreshes ID tokens automatically, so you won't need to log in again for weeks
  • If the refresh token expires, run kip auth login again

Check your auth status

bash
kip auth status
  Cluster: happysrv
  Email:   admin@203-0-113-10.kipper.run
  Status:  authenticated

Log out

bash
kip auth logout

This removes stored tokens for the current cluster. Other clusters are not affected.

Console authentication

The web console authenticates through the same Dex instance. When you visit the console URL, you're redirected to the Dex login page. After signing in, a session token is stored in your browser.

Admin credentials

During kip install, an admin account is created automatically. The credentials are displayed once. Save them securely.

Reset the admin password

If you lose the admin password:

bash
kip auth reset-password
  Admin password reset.
  Email:    admin@203-0-113-10.kipper.run
  Password: 5b2bf14ef6525...

This generates a new password, updates the Dex configuration, and restarts Dex. The new credentials take effect immediately.

Released under the Apache 2.0 License.

Copyright © 2026 Labb Consulting