glab Authentication with Multiple GitLab Instances

When using glab (the GitLab CLI) with multiple GitLab instances - such as gitlab.com for personal projects and a self-hosted GitLab for work - authentication can become problematic if you’re using the GITLAB_TOKEN environment variable.

The Problem

glab supports per-host token configuration in its config file (~/.config/glab-cli/config.yml). Each host can have its own token:

hosts:
    gitlab.com:
        token: glpat-xxxxx
    gitlab.sehlat.io:
        token: glpat-yyyyy

However, if you set the GITLAB_TOKEN environment variable (commonly done in shell rc files), it overrides all per-host tokens. This means the same token gets used for every GitLab instance, causing 401 Unauthorized errors on instances where that token isn’t valid.

Running glab auth status shows the issue:

gitlab.com
  ✓ Logged in to gitlab.com as whumphreys (/home/will/.config/glab-cli/config.yml)

gitlab.sehlat.io
  x gitlab.sehlat.io: API call failed: GET https://gitlab.sehlat.io/api/v4/user: 401 {message: 401 Unauthorized}

! One of GITLAB_TOKEN, GITLAB_ACCESS_TOKEN, OAUTH_TOKEN environment variables is set.
  It will be used for all authentication.

The warning at the bottom is the key indicator.

The Solution

Remove the GITLAB_TOKEN export from your shell configuration and let glab use its per-host config file.

1. Find where GITLAB_TOKEN is set

grep -rn "GITLAB_TOKEN" ~/.bashrc ~/.zshrc ~/.bash_profile ~/.bashrc.local 2>/dev/null

Example output:

/home/will/.bashrc.local:3:export GITLAB_TOKEN="glpat-xxxxx"

2. Comment out or remove the export

Edit the file and comment out the line:

# DO NOT set GITLAB_TOKEN - it overrides glab's per-host config!
# Tokens are stored in ~/.config/glab-cli/config.yml per hostname.
# Use: glab auth login --hostname <hostname>
# export GITLAB_TOKEN="glpat-xxxxx"

3. Unset the variable in your current session

unset GITLAB_TOKEN

4. Authenticate each instance with glab

glab auth login --hostname gitlab.com
glab auth login --hostname gitlab.sehlat.io

5. Verify authentication

glab auth status

Expected output:

gitlab.com
  ✓ Logged in to gitlab.com as whumphreys (/home/will/.config/glab-cli/config.yml)

gitlab.sehlat.io
  ✓ Logged in to gitlab.sehlat.io as william.humphreys (/home/will/.config/glab-cli/config.yml)

Both instances now authenticate using their respective tokens from the config file.

glab Config File Location

glab stores its configuration at ~/.config/glab-cli/config.yml. The hosts section contains per-instance tokens:

hosts:
    gitlab.com:
        api_protocol: https
        api_host: gitlab.com
        token: glpat-xxxxx
    gitlab.sehlat.io:
        api_protocol: https
        api_host: gitlab.sehlat.io
        token: glpat-yyyyy

Conclusion

When working with multiple GitLab instances, avoid setting GITLAB_TOKEN as an environment variable. Use glab auth login for each instance and let glab manage tokens per-host in its config file.