# Authentication Commands
Source: https://docs.chain.link/cre/reference/cli/authentication
Last Updated: 2026-04-30


The CRE CLI supports two authentication methods:

- **Browser-based login** (`cre login`) — Interactive login for local development
- **API key** (`CRE_API_KEY` environment variable) — Non-interactive authentication for CI/CD pipelines and headless environments

## Browser-based authentication

### `cre login`

Starts the interactive authentication flow. This command opens your browser for user login, saves your credentials locally to `~/.cre/cre.yaml`, and **fetches your tenant context** from the CRE platform. That response is cached per CRE environment (for example `PRODUCTION`) in **`~/.cre/context.yaml`** — a registry manifest that includes items such as your vault gateway URL, workflow registries, and which secrets authentication flows each registry supports. See [Tenant context cache](#tenant-context-cache) below.

`cre login` requires a browser and is not available in `--non-interactive` mode. For CI/CD pipelines and other headless environments, use `CRE_API_KEY` instead.

**Usage:**

```bash
cre login
```

**Authentication steps:**

1. The CLI opens your default web browser to the login page
2. Enter your account email address
3. Enter your account password
4. Enter your one-time password (OTP) from your authenticator app
5. The CLI automatically captures and saves your credentials locally, then fetches and caches tenant context (you may see **“Fetching user context…”** in the terminal)

For a detailed walkthrough with screenshots, see [Logging in with the CLI](/cre/account/cli-login).

### `cre logout`

Revokes authentication tokens and removes **local credentials** (`~/.cre/cre.yaml`) **and the cached tenant context file** (`~/.cre/context.yaml`). This invalidates the current session tokens and clears the CLI-side copy of your tenant registry manifest.

**Usage:**

```bash
cre logout
```

### `cre whoami`

Shows your current account details. This command fetches and displays your account information, including your email and organization ID. This works with both browser-based login and API key authentication.

**Usage:**

```bash
cre whoami
```

> **NOTE: Verify authentication**
>
> Use `cre whoami` to verify you're authenticated and check which account is currently active. This is useful before deploying workflows or performing other authenticated operations.

## API key authentication

> **NOTE: Deploy access required**
>
> API key authentication requires your account to have Early Access approval for deployment. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).

For CI/CD pipelines, automated scripts, or any environment where a browser is not available, you can authenticate using an API key. When the `CRE_API_KEY` environment variable is set, the CLI uses it automatically — no `cre login` required.

### Creating an API key

1. Log in to the <a href="https://app.chain.link/cre/discover" target="_blank" rel="noopener noreferrer">CRE platform</a>
2. Navigate to the **Organization** page
3. Select the **APIs** tab
4. Click **+ Organization API**
5. Give your key a name and confirm

> **CAUTION: Keep your API key secure**
>
> Treat your API key like a password. Do not commit it to version control or share it in plain text. Use your CI/CD platform's secret management to store it securely.

### Using the API key

Set the `CRE_API_KEY` environment variable before running CLI commands:

```bash
export CRE_API_KEY="your-api-key"
cre whoami
```

When `CRE_API_KEY` is set, the CLI skips the browser-based login flow entirely. All commands that require authentication (deploying, managing workflows, etc.) will use the API key. The CLI still **ensures tenant context** is available (fetching or refreshing `~/.cre/context.yaml` as needed) so your session matches the platform configuration for that key.

In a CI/CD pipeline, configure `CRE_API_KEY` as a secret environment variable in your platform and pass [`--non-interactive`](/cre/reference/cli#global-flags) to fail immediately if a command would otherwise prompt for input.

## Tenant context cache

After a successful browser login — and when using an API key for commands that load credentials — the CLI stores **tenant context** at **`~/.cre/context.yaml`**. This file comes from the platform’s **`getTenantConfig`** data: a **registry manifest** for your organization so the CLI knows your CRE environment layout (for example vault gateway URL, registries, and allowed secrets auth flows per registry). Values are grouped under your CRE environment name (such as `PRODUCTION`).

> **NOTE: Credentials vs tenant context**
>
> **`cre.yaml`** holds authentication tokens for your session. **`context.yaml`** holds **tenant configuration** returned by the platform, not secrets. **`cre logout`** removes both files from your machine.

The following example is **illustrative** only; your registries, addresses, and flow lists depend on your organization and environment.

```yaml
PRODUCTION:
  tenant_id: "<tenant-id>"
  default_don_family: zone-a
  vault_gateway_url: https://01.gateway.zone-a.cre.chain.link
  registries:
    - id: onchain:ethereum-mainnet
      label: ethereum-mainnet (0x1234...abcd)
      type: on-chain
      chain_selector: "<chain-selector>"
      address: "0x0000000000000000000000000000000000000000"
      secrets_auth_flows:
        - browser
        - owner-key-signing
    - id: private
      label: Private (Chainlink-hosted)
      type: off-chain
      secrets_auth_flows:
        - browser
```

## Authentication methods summary

| Method        | Best for                              | How it works                                         |
| ------------- | ------------------------------------- | ---------------------------------------------------- |
| `cre login`   | Local development                     | Opens a browser for interactive login with 2FA       |
| `CRE_API_KEY` | CI/CD, scripts, headless environments | Set the environment variable — no browser needed(\*) |

(\*) API key authentication requires your account to have Early Access approval. See [Requesting Deploy Access](/cre/account/deploy-access).

## Learn more

- [Logging in with the CLI](/cre/account/cli-login) — Step-by-step browser login guide with screenshots
- [Managing Authentication](/cre/account/managing-auth) — Session management, expiration, and logout
- [Account Management](/cre/reference/cli/account) — Link keys after authentication
- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Requires authentication