Skip to main content

Controlplane API Tokens

The Chainloop CLI is used to interact with the Chainloop Control Plane supports two authentication methods.

User Authentication

  • Meant for interactive use
  • Associated with an user account
  • Valid for 24 hours

They can be obtained by running the chainloop auth login command.

API tokens

Alternatively, you can create Service Accounts (API Tokens) that

  • Are meant for non-interactive use, i.e automation
  • Are associated with a organization
  • Have a customizable expiry time that can be manually revoked
  • Can operate with Chainloop Workflows and Attestations
  • Supports ACL for fine-grained access control (SOON)

You can operate on your organization API tokens using the chainloop organization api-token command.

$ chainloop organization api-token -h
Manage API tokens to authenticate with the Chainloop API.

Usage:
chainloop organization api-token [command]

Aliases:
api-token, token

Available Commands:
create Create an API Token
list List API tokens in this organization
revoke revoke API Token

and then they can be used by the CLI by either setting CHAINLOOP_TOKEN environment variable or by using the --token flag, for example

chainloop workflow list --token <your-token>

Attestations

API Tokens can be used to perform attestations, the only requirement is that the operator should create a workflow prior to run the attestation and an api token. Example:

$ chainloop attestation init --name release-demo-wf --token $API_TOKEN
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────┬──────────────────────────────────────┐
│ Initialized At │ 13 May 24 12:23 UTC │
├───────────────────┼──────────────────────────────────────┤
│ Attestation ID │ 810472ab-484f-4499-8805-f2024d2b4a47 │
│ Name │ release-demo-wf │
│ Team │ │
│ Project │ core │
│ Contract Revision │ 1
└───────────────────┴──────────────────────────────────────┘