Authentication
Suno has no public API and issues no API keys. rs-suno authenticates the same
way the Suno web app does: with your Clerk __client session cookie. You paste
that cookie into rs-suno once, and it mints the short-lived tokens it needs
from there.
How it works
- You supply your
__clientsession token (a long string). - On each run,
rs-sunosends that token to Clerk (clerk.suno.com) and mints a short-lived JSON Web Token (JWT). - It refreshes the JWT automatically, shortly before it expires, so long runs do not stall.
- Only the minted JWT is sent to the Suno API. Your
__clientcookie is sent only to Clerk, never to Suno’s API host.
If authentication fails partway through a run, rs-suno stops that account
cleanly rather than hammering the server, and re-authenticates on the next run.
Get your __client token
The token lives in your browser once you are logged in to Suno:
- Log in at suno.com in your browser.
- Open the browser developer tools (F12 on most browsers).
- Go to the storage or application panel and find Cookies.
- Select the Suno/Clerk origin and copy the value of the cookie named
__client.
rs-suno accepts the token in whichever form is convenient: the raw value, a
__client=<value> assignment, or the full Cookie: header string. Treat this
value like a password. Anyone with it can access your library.
Provide the token
You can supply the token three ways, in order of precedence:
- The
--token <TOKEN>flag. - The
SUNO_TOKENenvironment variable (or the per-accountSUNO_<LABEL>_TOKEN). - The
tokenfield in your config file, which is the usual place for it.
The interactive setup writes it to the config for you:
suno config init
See Configuration for the file format and for running multiple accounts.
Check and refresh a token
Confirm a stored token still works by re-minting its JWT:
suno auth refresh <account>
On success it prints the account and its display name. If the account label is
omitted, it uses your single configured account, or --all to check every one.
When a token stops working (you logged out, or Suno rotated the session), update it:
suno config add-account <account> --token <new-token>
Keeping the token safe
rs-suno never prints your token or a minted JWT:
suno config showredacts every token, printing[redacted].- The
--tokenflag hides its environment value in help output. - The
__clientcookie is only ever sent to Clerk; the Suno API only ever receives the short-lived JWT.
Never commit a token to source control or paste it into logs or issues.