@nanstey/pi-auth-profiles

Per-project auth profiles for pi — keep separate OAuth/API-key credentials per account and switch with /profile

Packages

Package details

extension

Install @nanstey/pi-auth-profiles from npm and Pi will load the resources declared by the package manifest.

npm repohome report
$ pi install npm:@nanstey/pi-auth-profiles
Package
@nanstey/pi-auth-profiles
Version
0.1.0
Published
Jun 10, 2026
Downloads
not available
Author
nanstey
License
MIT
Types
extension
Size
11.6 KB
Dependencies
0 dependencies · 0 peers
Pi manifest JSON
{
  "extensions": [
    "./extensions"
  ]
}

Security note

Pi packages can execute code and influence agent behavior. Review the source before installing third-party packages.

README

@nanstey/pi-auth-profiles

Configure multiple auth profiles for pi.

Keep separate OAuth/API-key credentials per profile (default, work, personal, client) and have /login, /logout, and token refresh operate based on the repo.

Install

pi install npm:@nanstey/pi-auth-profiles

Usage

/profile                 show the active profile, its file, and providers
/profile list            list all profiles and their providers
/profile use <name>      set this project's profile (writes .pi/settings.json)
/profile default <name>  set the global fallback profile
/profile clear           remove this project's profile setting

Typical setup:

Start pi tui:

cd ~/work/some-repo
pi

Configure auth profile:

/profile use work        # this repo now uses the "work" profile
/login                   # credentials are saved to the work profile

How it works

Each profile is a separate credential file:

Profile File
default ~/.pi/agent/auth.json
<name> ~/.pi/agent/auth-profiles/<name>.json

The active profile is resolved per session, first match wins:

  1. "authProfile" in <project>/.pi/settings.json — only when the project is trusted
  2. "defaultProfile" in ~/.pi/agent/auth-profiles.json
  3. default (plain auth.json, identical to pi without this extension)

The extension rebinds pi's live credential storage at session_start (after project trust is resolved) and again whenever you run /profile use, so the built-in /login, /logout, and OAuth token refresh all read and write the active profile's file immediately.

.pi/settings.json is committable, so a team repo can pin which profile name it expects without sharing any credentials.

Notes

  • Profiles are isolated on purpose: a profile does not fall back to auth.json for providers it lacks — log in once per profile instead. Sharing OAuth credentials across files breaks when providers rotate refresh tokens. Environment variables (ANTHROPIC_API_KEY, …) and models.json keys still apply in every profile.
  • Profile names may contain letters, numbers, dots, underscores, and dashes.

License

MIT