Headless & CI
oura-toolkit is built to run where there’s no browser and no interactive terminal — remote
hosts, containers, and CI. Three mechanisms cover those cases.
Paste-back login (--no-browser)
Section titled “Paste-back login (--no-browser)”On a remote or headless host where the OAuth loopback callback can’t reach you (SSH,
containers), add --no-browser to either auth command:
oura auth login --no-browseroura auth setup --no-browserThe CLI prints the authorize URL; you approve it in a browser on any machine, then paste the
full redirect URL back into the terminal. The same state CSRF check applies, and a mismatch
aborts. An SSH session is auto-detected and --no-browser is suggested for you.
Environment overrides
Section titled “Environment overrides”Read once at startup; empty or whitespace-only values are ignored (treated as unset).
OURA_ACCESS_TOKEN
Section titled “OURA_ACCESS_TOKEN”A raw OAuth access token used by the data commands and oura mcp, bypassing the token store
entirely — no login, no refresh. It takes precedence over any stored login. When Oura rejects
it (expired/invalid), the command exits 4 and tells you to export a fresh one; the MCP server
returns a structured tool error. This is the intended path for CI and one-shot agents.
OURA_ACCESS_TOKEN=<token> oura sleep --jsonOURA_ACCESS_TOKEN=<token> oura mcpThe oura auth account commands (status / token / refresh / logout) still operate on
the store, not this variable.
OURA_API_BASE_URL
Section titled “OURA_API_BASE_URL”Points the client at an alternate Oura host, a proxy, or a mock (default
https://api.ouraring.com). A trailing slash is trimmed. Over plain http:// the Bearer token
is sent in cleartext — use that only for a trusted local proxy or mock, never a real network
path.
OURA_API_BASE_URL=http://localhost:8080 oura personal-infoNO_COLOR
Section titled “NO_COLOR”Disables ANSI color (same as the --no-color flag), following
no-color.org.
Putting it together in CI
Section titled “Putting it together in CI”A typical CI step injects a short-lived token and reads data as JSON:
OURA_ACCESS_TOKEN="$OURA_TOKEN" oura readiness --json > readiness.jsonstatus=$?if [ "$status" -eq 4 ]; then echo "token rejected — export a fresh OURA_ACCESS_TOKEN" >&2fi