Skip to main content


Spotflow CLI is designed with security in mind. CLI does not handle or store user credentials such as passwords or OTPs. Instead, authentication is delegated to Auth0 or Microsoft Entra identity providers and CLI only works with OAuth2 time-limited and narrowly scoped access tokens and refresh tokens that might be cached on local disk in user profile/home directory.

In case of any discovered vulnerabilities or any other security-related concerns/questions, please see

Token protection

Access tokens and refresh tokens that are cached on disk have different level of protection, depending on the operation system used. Tokens are encrypted with user-scoped DPAPI. On Linux and macOS, the tokens are stored in a plain text file because no suitable OS-level data protection API is available.

Code Signing (Windows only)

CLI executable file for Windows (.exe) is code-signed with a certificate issued by GlobalSign:

  • Root CA certificate: GlobalSign Code Signing Root R45.
  • Intermediate CA certificate: GlobalSign GCC R45 CodeSigning CA 2020.

Details about leaf certificate and signing parameters are as follows:

  • Issued to Spotflow s.r.o..
  • Valid until 2025-02-09.
  • Signature algorithm: SHA256RSA with 4096-bit RSA key.
  • Signature is securely timestamped by
  • Fingerprints are listed below: