CLI ToolsMay 14, 2026·2 min read

oidc-agent — OIDC Tokens for Scripts (ssh-agent)

oidc-agent manages OpenID Connect tokens like ssh-agent: start the agent, create configs with oidc-gen, then fetch tokens for scripts via oidc-token.

Script Depot
Script Depot · Community
Agent ready

This asset can be read and installed directly by agents

TokRepo exposes the CLI command, metadata JSON, install plan, and raw content links so agents can judge fit, risk, and next actions.

Native · 94/100Policy: allow
Target
Claude Code, Codex, Gemini CLI
Kind
Cli
Install
Brew|Apt
Trust
Trust: Established
Entrypoint
oidc-token <shortname>
CLI install command
npx tokrepo install f941a4c9-6ba5-56d1-9174-46ab48535b4f --target codex
metadata JSONinstall planraw content
Intro

oidc-agent manages OpenID Connect tokens like ssh-agent: start the agent, create configs with oidc-gen, then fetch tokens for scripts via oidc-token.

Best for: CLI-first workflows that need short-lived OIDC tokens for APIs, MCP servers, or automation scripts

Works with: Linux packages or Homebrew; supports multiple OIDC flows (README mentions device flow) and token retrieval via CLI

Setup time: 10-25 minutes

Key facts (verified)

  • GitHub: 149 stars · 36 forks · pushed 2026-04-30.
  • License: MIT · owner avatar + repo URL verified via GitHub API.
  • README-backed entrypoint: oidc-token <shortname>.

Main

  • Treat it like ssh-agent: start the service early (login/X session) and rely on environment variables to locate the socket.

  • Prefer oidc-token <issuer_url> in scripts when portability matters; README recommends issuer_url for shareable scripts.

  • Use device flow on headless hosts: README notes oidc-gen --flow=device when a browser isn't available.

Source-backed notes

  • README shows macOS install via Homebrew: brew tap indigo-dc/oidc-agent then brew install oidc-agent.
  • README quickstart starts the agent with eval oidc-agent-service start`` and uses oidc-gen + oidc-token.
  • README mentions device flow via --flow=device and describes listing configs with oidc-add -l / oidc-gen -l.

FAQ

  • Do I need a browser to authenticate?: Not always. README says you can use device flow (--flow=device) on hosts without a browser.
  • Can it manage multiple accounts?: Yes. README says multiple account configurations can be loaded concurrently.
  • Where is the documentation?: README points to https://indigo-dc.github.io/oidc-agent/ for full docs.
🙏

Source & Thanks

Source: https://github.com/indigo-dc/oidc-agent > License: MIT > GitHub stars: 149 · forks: 36

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

CLI-Anything — Install Agent-Native CLIs via CLI-Hub

CLI-Anything makes software agent-native: install CLI-Hub (`pip install cli-anything-hub`) and add harnesses via `npx skills add ... --skill ...`.

CLI Tools
Script Depot

Reasonix — DeepSeek-Native Coding Agent CLI

Reasonix is a DeepSeek-native coding agent CLI for the terminal; README reports a 99.82% cache hit in a real-day case study.

CLI Tools
Script Depot

linear-cli — Issue Management CLI (Git/JJ Aware)

linear-cli manages Linear issues from the terminal (list/start/create) and even ships an agent skill; verified 701★ and pushed 2026-05-14.

CLI Tools
Script Depot

dingtalk-workspace-cli — Agent-Ready DingTalk CLI

dingtalk-workspace-cli (dws) is DingTalk’s open-source CLI for humans and AI agents, with OAuth login and `--dry-run` request previews.

CLI Tools
Script Depot
Home🔍Search👤Me