From @scotwells:

Authenticate without a browser - The authentication process relies on the user having a browser on the same host as datumctl to handle the OAuth code exchange challenge. Ideally we would also support users being able to receive a code in a browser on another computer that they can feed into the CLI's authentication process so it can complete the code challenge. Google and other providers have this capability.