The Chainloop CLI supports three methods to authenticate with the Chainloop Platform:

User Authentication

  • Purpose: For interactive use and attestations
  • Association: Tied to a user account.
  • Duration: Valid for 24 hours
They can be obtained by running the chainloop auth login command.

Chainloop API tokens

  • Purpose:
    • For non-interactive use (automation) such as CI/CD.
    • To perform attestations
  • Association: Project-scoped or organization-scoped.
  • Features:
    • Customizable expiry and manual revocation.
    • Supports fine-grained ACL for access control.
You can operate on your organization API tokens using the chainloop organization api-token command.
You can manage your API tokens in the API Tokens Section.info
and then they can be used by the CLI by either setting CHAINLOOP_TOKEN environment variable or by using the --token flag, for example

Keyless OIDC Authentication

In some cases, like in GitLab, you can leverage their CI/CD machine identity to authenticate with Chainloop instead of Chainloop API tokens. More info here
  • Purpose:
    • For non-interactive use (automation) such as CI/CD.
    • To perform attestations
Check the GitLab Keyless Attestations guide for more information.