Skip to main content
Applies to:
  • Plan -
  • Deployment -

Summary

Issue: The Braintrust CLI fails to authenticate via OAuth or API key, with errors like failed to call oauth token endpoint or invalid peer certificate: UnknownIssuer when running bt auth login or bt setup. Cause: The CLI defaults to Braintrust hosted endpoints; corporate TLS inspection can also intercept traffic and re-sign certificates with an untrusted CA. Resolution: Point the CLI at your self-hosted data plane and, if your network intercepts TLS traffic, configure BRAINTRUST_CA_CERT to trust your CA bundle.

Resolution steps

If you see failed to call oauth token endpoint:

Step 1: Set your API URL and if necessary your APP URL

export BRAINTRUST_API_URL="https://<your-api-url>"
export BRAINTRUST_APP_URL="https://<your-app-url>"

Step 2: Authenticate

OAuth: 
bt auth login --no-browser
API key: 
export BRAINTRUST_API_KEY="<your_key>"

Step 3: Verify connectivity

bt auth profiles
bt status --verbose

If you see invalid peer certificate: UnknownIssuer:

Your network is intercepting and re-signing TLS traffic. Configure your CA bundle.

Step 1: Set the CA cert path

export BRAINTRUST_CA_CERT="/path/to/ca_bundle.pem"

Step 2: Run bt setup with the CA cert flag

bt setup --api-key "$BRAINTRUST_API_KEY" --agent <your-agent> --ca-cert "$BRAINTRUST_CA_CERT"

Step 3: Verify

bt status --verbose