π Authentication
Create a Gandi Personal Access Token, scope it, and configure gandi-cli.
gandi-cli authenticates with Personal Access Tokens (PATs) β not legacy API keys. Gandi has no CLI login: there is no API to mint a token, so you create one once in the dashboard and hand it to the CLI.
Any command run without a token, or with one Gandi rejects, prints step-by-step setup guidance β so you never have to memorise the steps below.
π Create a token
Generate a token at admin.gandi.net β Account β Personal Access Tokens β Create, granting only the permissions you need.
| Dashboard permission | Scope | Unlocks |
|---|---|---|
| Manage technical configuration of domains | domain:tech | DNS records and web redirections |
| View and renew domains | domain:view domain:renew | gandi domain list / renew |
For DNS work, Manage technical configuration (domain:tech) is the only
permission strictly required β it covers both DNS records and web redirections.
Leave every other product (Email, Web Hosting, Cloud, Certificatesβ¦) off unless
you use it: a narrower token is a smaller risk if it ever leaks.
βοΈ Configure gandi-cli
The CLI checks the GANDI_API_KEY environment variable first, then the config
file β either mechanism works.
Via environment variable
export GANDI_API_KEY="your-token-here"Via config file
Store the token in ~/.config/gandi/config.toml:
api_key = "your-token-here"π©Ή Troubleshooting
The error you see tells you which case you're in:
- Not authenticated β no token found in the environment or config file. Follow the steps above to create one.
- Token rejected β a token was found but Gandi refused it. Usual causes: it is expired, mistyped / partially pasted, or missing the scope for that command.
β Best practices
- β Only grant the permissions each command actually needs.
- β
Set an expiry date on the token β Gandi has no API to read or renew it, so
rotate it manually when
gandi doctorshows the expiry approaching. - β
Use
gandi doctorto verify scopes before running commands.