Chainloop Documentation home page
Search...
⌘K
Get a demo
Get a demo
Search...
Navigation
References
Authentication Methods
Documentation
Changelog
Command Line Reference
API Reference
Website
Blog
Get Help
Welcome to Chainloop
Quickstart
Getting Started
Overview
Setup
Your First Attestation
Set Metadata expectations
Set Policies expectations
Project Compliance
Next Steps
Concepts
Overview
Attestations
Workflows
Contracts
Material Types
Policies
Policy Groups
Projects and Versions
Products
Compliance Frameworks and Requirements
Integrations
Content Addressable Storage (CAS) backend
Guides
How to use the Chainloop MCP server
Keyless Attestations in GitLab
Send SBOMs to Dependency-Track
Use Dagger With Chainloop
Use Keyfactor SignServer for attestation signing
How to monitor your CI/CD systems with Chainloop and Prometheus
Write custom policies
Deployment
Track Compliance
References
Compliance Frameworks
API
Model Context Protocol (MCP) Server
Audit Logs
Signing and Verification
Authentication Methods
Role Based Access Control
CI/CD Runner Context
Misc
Frequently Asked Questions
On this page
User Authentication
Chainloop API tokens
Keyless OIDC Authentication
References
Authentication Methods
The Chainloop CLI supports three methods to authenticate with the Chainloop Platform:
User Authentication
Purpose: For interactive use and attestations
Association: Tied to a user account.
Duration: Valid for 24 hours
They can be obtained by running the
chainloop auth login
command.
Chainloop API tokens
Purpose:
For non-interactive use (automation) such as CI/CD.
To perform attestations
Association: Project-scoped or organization-scoped.
Features:
Customizable expiry and manual revocation.
Supports fine-grained ACL for access control.
You can operate on your organization API tokens using the
chainloop organization api-token
command.
Web UI
CLI
You can manage your API tokens in the
API Tokens Section
.
and then they can be used by the CLI by either setting
CHAINLOOP_TOKEN
environment variable or by using the
--token
flag, for example
Keyless OIDC Authentication
In some cases, like in GitLab, you can leverage their CI/CD machine identity to authenticate with Chainloop instead of Chainloop API tokens. More info here
Purpose:
For non-interactive use (automation) such as CI/CD.
To perform attestations
Check the
GitLab Keyless Attestations
guide for more information.
Signing and Verification
Role Based Access Control
Assistant
Responses are generated using AI and may contain mistakes.