Support SigCLI as cookie provider (auto-refresh, headless-friendly)

[brelian]

Hi! I'm the author of SigCLI, a CLI credential manager. I think it could complement twitter-cli's auth flow nicely, especially for headless/SSH scenarios where browser cookie extraction doesn't work.

The problem

twitter-cli's browser extraction is great on local machines, but hits issues in:

• SSH sessions (macOS Keychain locked)
• Headless servers (no browser installed)
• Cookie expiration (need to re-login in browser manually)

How SigCLI helps

SigCLI manages browser cookies with auto-validation and refresh. After a one-time sig login x, it provides fresh cookies on demand.

SigCLI setup for X/Twitter (2 minutes)

1. Install

npm install -g @sigcli/cli
sig init

2. Configure the X provider

Add this to ~/.sig/config.yaml under providers::

  x:
    domains:
      - x.com
      - twitter.com
    entryUrl: https://x.com/
    validateUrl: https://x.com/i/api/2/notifications/all.json?count=1
    strategy: browser
    extract:
      - from: cookies
        as: cookie
        match: "*"
      - from: cookies
        as: ct0
        match: "ct0"
      - from: cookies
        as: auth_token
        match: "auth_token"
    apply:
      - in: header
        name: Cookie
        value: "${cookie}"
      - in: header
        name: x-csrf-token
        value: "${ct0}"

If you need a proxy (e.g. in regions where X is blocked):

    networkProxy: socks5://127.0.0.1:1080

3. Login (one-time, opens browser)

sig login x

This opens a browser, you log in normally, sigcli captures and encrypts the cookies.

4. Use with twitter-cli

# sig run injects SIG_X_* env vars, map them to what twitter-cli expects
sig run x -- bash -c 'TWITTER_AUTH_TOKEN=$SIG_X_AUTH_TOKEN TWITTER_CT0=$SIG_X_CT0 twitter feed'

That's it. When cookies expire, sig run automatically re-validates and refreshes.

sig run x injects these env vars

• SIG_X_COOKIE — full cookie string (all Twitter cookies)
• SIG_X_CT0 — ct0 value
• SIG_X_AUTH_TOKEN — auth_token value

Alternative: sig get

export TWITTER_CT0=$(sig get x --no-redaction --format json | jq -r '.headers["x-csrf-token"]')
export TWITTER_AUTH_TOKEN=$(sig get x --no-redaction --format json | jq -r '.headers.Cookie' | grep -oP 'auth_token=\K[^;]+')
twitter feed

Optional: native support

If interested, twitter-cli could add sigcli as a fallback in the auth chain — check if sig binary exists and call sig get x --no-redaction --format json:

def load_from_sigcli() -> Optional[Dict[str, str]]:
    try:
        result = subprocess.run(
            ["sig", "get", "x", "--no-redaction", "--format", "json"],
            capture_output=True, text=True, timeout=10
        )
        if result.returncode != 0:
            return None
        data = json.loads(result.stdout)
        cookie_str = data["headers"]["Cookie"]
        ct0 = data["headers"]["x-csrf-token"]
        auth_token = next(
            p.split("=", 1)[1] for p in cookie_str.split("; ")
            if p.startswith("auth_token=")
        )
        return {"auth_token": auth_token, "ct0": ct0, "cookie_string": cookie_str}
    except (FileNotFoundError, subprocess.TimeoutExpired, KeyError, json.JSONDecodeError):
        return None

Auth priority would become: env vars → sigcli → browser extraction.

Why bother

• Cookie auto-refresh — sigcli validates before returning, re-authenticates if expired
• Works on headless servers — sig remote + sig sync pushes credentials from local machine
• Encrypted storage — AES-256-GCM, vs browser cookie DB decryption headaches
• Already works today without any code changes (via env var mapping)

GitHub: https://github.com/sigcli/sigcli
Install: npm install -g @sigcli/cli