Skip to main content

Controlplane API Tokens

The Chainloop CLI is used to interact with the Chainloop Control Plane supports two authentication methods.

User Authentication

  • Meant for interactive use
  • Associated with an user account
  • Valid for 24 hours

They can be obtained by running the chainloop auth login command.

API tokens

Alternatively, you can create Service Accounts (API Tokens) that

  • Are meant for non-interactive use, i.e automation
  • Are associated with a organization
  • Have a customizable expiry time that can be manually revoked
  • Can operate with Chainloop Workflows and Attestations
  • Supports ACL for fine-grained access control (SOON)

You can operate on your organization API tokens using the chainloop organization api-token command.

$ chainloop organization api-token -h
Manage API tokens to authenticate with the Chainloop API.

Usage:
  chainloop organization api-token [command]

Aliases:
  api-token, token

Available Commands:
  create      Create an API token
  list        List API tokens in this organization
  revoke      revoke API token

and then they can be used by the CLI by either setting CHAINLOOP_TOKEN environment variable or by using the --token flag, for example

chainloop workflow list --token <your-token>

Attestations

API Tokens can be used to perform attestations, the only requirement is that the operator should create a workflow prior to run the attestation and an api token. Example:

$ chainloop wf create --name release-demo-wf --description "Showcase of API Token creating wf" --project core --token $API_TOKEN --skip-robot-account-create
INF API token provided to the command line
┌──────────────────────────────────────┬─────────────────┬─────────┬─────────────────────┬────────┬─────────────────┐
│ ID                                   │ NAME            │ PROJECT │ CREATED AT          │ RUNNER │ LAST RUN STATUS │
├──────────────────────────────────────┼─────────────────┼─────────┼─────────────────────┼────────┼─────────────────┤
│ 0cfff272-2a7d-43cf-bbb0-087043fc028c │ release-demo-wf │ core    │ 13 May 24 11:08 UTC │        │                 │
└──────────────────────────────────────┴─────────────────┴─────────┴─────────────────────┴────────┴─────────────────┘

The flag --skip-robot-account-create prevents the creation of a robot account that will be of no use since we will be using CHAINLOOP_TOKEN instead. Once the workflow is created, the attestation process remains pretty much the same:

$ chainloop attestation init --workflow-name release-demo-wf --token $API_TOKEN
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────┬──────────────────────────────────────┐
│ Initialized At    │ 13 May 24 12:23 UTC                  │
├───────────────────┼──────────────────────────────────────┤
│ Attestation ID    │ 810472ab-484f-4499-8805-f2024d2b4a47 │
│ Name              │ release-demo-wf                      │
│ Team              │                                      │
│ Project           │ core                                 │
│ Contract Revision │ 1                                    │
└───────────────────┴──────────────────────────────────────┘