Authentication Methods

The Chainloop CLI supports three methods to authenticate with the Chainloop Platform:

​

User Authentication

• Purpose: For interactive use and attestations
• Association: Tied to a user account.
• Duration: Valid for 24 hours

They can be obtained by running the chainloop auth login command.

​

Chainloop API tokens

• Purpose:
  • For non-interactive use (automation) such as CI/CD.
  • To perform attestations
• Association: Tied to an organization.
• Features:
  • Customizable expiry and manual revocation.
  • Supports fine-grained ACL for access control.

You can operate on your organization API tokens using the chainloop organization api-token command.

$ chainloop organization api-token -h
Manage API tokens to authenticate with the Chainloop API.

Usage:
  chainloop organization api-token [command]

Aliases:
  api-token, token

Available Commands:
  create      Create an API Token
  list        List API tokens in this organization
  revoke      revoke API Token

and then they can be used by the CLI by either setting CHAINLOOP_TOKEN environment variable or by using the --token flag, for example

​

Keyless OIDC Authentication

In some cases, like in Gitlab, you can leverage their CI/CD machine identity to authenticate with Chainloop instead of Chainloop API tokens. More info here

• Purpose:
  • For non-interactive use (automation) such as CI/CD.
  • To perform attestations

Check the GitLab Keyless Attestations guide for more information.