Skip to content

docs: document v2 CLI login default and token overrides #348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mintlify wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: document v2 CLI login default and token overrides #348

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion enterprise/cli/command-reference/porter-auth.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,17 @@ porter auth login --manual

```

#### Default login method (v2)

New CLI installs default to the **v2** login method, which uses a refreshable session and stores credentials in your operating system's keyring instead of `~/.porter/porter.yaml`. Sessions refresh automatically while you use the CLI.

- Existing configs are upgraded to v2 automatically on the next CLI run; any legacy plaintext token in `porter.yaml` is cleared and replaced by a session stored in the keyring.
- To keep the legacy JWT-based flow on older self-hosted instances, set `login_method: v1` in `~/.porter/porter.yaml`.

#### Token overrides

The `--token` flag and the `PORTER_TOKEN` environment variable still take precedence over the v2 default and are the recommended way to authenticate from CI/CD pipelines. If `PORTER_TOKEN` is set but rejected by the server, the CLI prompts you to `unset PORTER_TOKEN` before retrying.

### `porter auth logout`[](#porter-auth-logout "Direct link to heading")

Logs a user out from a Porter instance.
Logs a user out from a Porter instance. For v2 sessions, this also clears the session stored in your OS keyring.
24 changes: 23 additions & 1 deletion standard/cli/command-reference/porter-auth.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,33 @@ porter auth login --token <YOUR_TOKEN>
After logging in, Porter automatically sets your default project and cluster if you have access to any. You can view these with `porter config`.
</Info>

### Default login method (v2)

New CLI installs default to the **v2** login method, which uses a refreshable session and stores credentials in your operating system's keyring instead of `~/.porter/porter.yaml`. Sessions refresh automatically while you use the CLI, so you no longer need to re-run `porter auth login` as often.

- **First-time users**: no action required — `porter auth login` uses v2 automatically.
- **Existing users upgrading**: your config is migrated to v2 on the next CLI run. Any legacy plaintext token in `porter.yaml` is cleared and replaced by a session stored in the keyring.
- **Legacy hosts**: set `login_method: v1` in `~/.porter/porter.yaml` to keep the previous JWT-based flow.

### Token and environment overrides

Explicit token authentication still takes precedence over the v2 default — useful for CI/CD pipelines and service accounts:

- The `--token` flag on any command
- The `PORTER_TOKEN` environment variable

When either is set, the CLI uses that token directly and skips the browser-based session flow. If `PORTER_TOKEN` is set but the server rejects it, the CLI tells you to `unset PORTER_TOKEN` before retrying.

```bash CI/CD example
export PORTER_TOKEN="$PORTER_DEPLOY_TOKEN"
porter apply -f porter.yaml
```

---

## `porter auth logout`

Log out from Porter and clear your local credentials.
Log out from Porter and clear your local credentials. For v2 sessions, this also clears the session stored in your OS keyring.

**Usage:**
```bash
Expand Down