Authentication Commands

The CRE CLI supports two authentication methods:

  • Browser-based login (cre login) — Interactive login for local development
  • API key (CRE_API_KEY environment variable) — Non-interactive authentication for CI/CD pipelines and headless environments

Browser-based authentication

cre login

Starts the interactive authentication flow. This command opens your browser for user login, saves your credentials locally to ~/.cre/cre.yaml, and fetches your tenant context from the CRE platform. That response is cached per CRE environment (for example PRODUCTION) in ~/.cre/context.yaml — a registry manifest that includes items such as your vault gateway URL, workflow registries, and which secrets authentication flows each registry supports. See Tenant context cache below.

Usage:

cre login

Authentication steps:

  1. The CLI opens your default web browser to the login page
  2. Enter your account email address
  3. Enter your account password
  4. Enter your one-time password (OTP) from your authenticator app
  5. The CLI automatically captures and saves your credentials locally, then fetches and caches tenant context (you may see “Fetching user context…” in the terminal)

For a detailed walkthrough with screenshots, see Logging in with the CLI.

cre logout

Revokes authentication tokens and removes local credentials (~/.cre/cre.yaml) and the cached tenant context file (~/.cre/context.yaml). This invalidates the current session tokens and clears the CLI-side copy of your tenant registry manifest.

Usage:

cre logout

cre whoami

Shows your current account details. This command fetches and displays your account information, including your email and organization ID. This works with both browser-based login and API key authentication.

Usage:

cre whoami

API key authentication

For CI/CD pipelines, automated scripts, or any environment where a browser is not available, you can authenticate using an API key. When the CRE_API_KEY environment variable is set, the CLI uses it automatically — no cre login required.

Creating an API key

  1. Log in to the CRE platform
  2. Navigate to the Organization page
  3. Select the APIs tab
  4. Click + Organization API
  5. Give your key a name and confirm

Using the API key

Set the CRE_API_KEY environment variable before running CLI commands:

export CRE_API_KEY="your-api-key"
cre whoami

When CRE_API_KEY is set, the CLI skips the browser-based login flow entirely. All commands that require authentication (deploying, managing workflows, etc.) will use the API key. The CLI still ensures tenant context is available (fetching or refreshing ~/.cre/context.yaml as needed) so your session matches the platform configuration for that key.

In a CI/CD pipeline, configure CRE_API_KEY as a secret environment variable in your platform and run CLI commands as usual.

Tenant context cache

After a successful browser login — and when using an API key for commands that load credentials — the CLI stores tenant context at ~/.cre/context.yaml. This file comes from the platform’s getTenantConfig data: a registry manifest for your organization so the CLI knows your CRE environment layout (for example vault gateway URL, registries, and allowed secrets auth flows per registry). Values are grouped under your CRE environment name (such as PRODUCTION).

The following example is illustrative only; your registries, addresses, and flow lists depend on your organization and environment.

PRODUCTION:
  tenant_id: "<tenant-id>"
  default_don_family: zone-a
  vault_gateway_url: https://01.gateway.zone-a.cre.chain.link
  registries:
    - id: onchain:ethereum-mainnet
      label: ethereum-mainnet (0x1234...abcd)
      type: on-chain
      chain_selector: "<chain-selector>"
      address: "0x0000000000000000000000000000000000000000"
      secrets_auth_flows:
        - browser
        - owner-key-signing
    - id: private
      label: Private (Chainlink-hosted)
      type: off-chain
      secrets_auth_flows:
        - browser

Authentication methods summary

Method
Best forHow it works
cre loginLocal developmentOpens a browser for interactive login with 2FA
CRE_API_KEYCI/CD, scripts, headless environmentsSet the environment variable — no browser needed(*)

(*) API key authentication requires your account to have Early Access approval. See Requesting Deploy Access.

Learn more

Get the latest Chainlink content straight to your inbox.