The Chainloop CLI supports three methods to authenticate with the Chainloop Platform:
User Authenticationβ
Purpose: For interactive use.
Association: Tied to a user account.
Duration: Valid for 24 hours.
How to Obtain: Run the
chainloop auth logincommand.
Chainloop API tokensβ
Purpose:
For non-interactive use (automation) such as CI/CD.
To perform attestations
Association: Tied to an organization.
Features:
Customizable expiry and manual revocation.
Supports fine-grained ACL for access control.
Used to interact with Chainloop Workflows and Attestations.
Manage Tokens with CLI
You can operate on your organization's API tokens using the chainloop organization api-token command.
$ chainloop organization api-token -h
Manage API tokens to authenticate with the Chainloop API.
Usage:
chainloop organization api-token [command]
Aliases:
api-token, token
Available Commands:
create Create an API Token
list List API tokens in this organization
revoke revoke API Token
and then they can be used by the CLI by either setting CHAINLOOP_TOKEN environment variable or by using the --token flag, for example
chainloop workflow list --token <your-token>
Keyless CI/CD Authentication
Purpose:
To perform attestations
In some cases, like in Gitlab, you can leverage their Ci/CD machine identity to authenticate with Chainloop instead of Chainloop API tokens. More info here