Authenticate to use the CLI
To scan your projects, you must authenticate with Snyk.
Snyk supports the following protocols for authentication:
OAuth 2.0 (Recommended)
Personal Access Token
Snyk API token (Legacy)
How to authenticate to use the CLI locally
Steps to authenticate using OAuth 2.0 protocol
When you are using the CLI locally, Snyk recommends that you use the OAuth 2.0 protocol. Follow these steps:
Run the
snyk auth
CLI command.Log in if you are prompted to do so.
The next page asks for your authorization for the CLI to act on your behalf. Click Grant app access.
When you have authenticated successfully, a confirmation message appears. Close the browser window and return to the CLI in the terminal.
After authentication is granted, a pair of access and refresh tokens are stored locally for future use.
Multi-tenant users who do not belong to the SNYK-US-01
region ( https://api.snyk.io
) will be automatically redirected to the correct domain for the email with which the user authenticated. This redirect will not happen if users are expected to use a custom URL, such as in single-tenant company configurations.
If you have problems, see OAuth 2.0 authentication does not work.
Steps to authenticate using Personal Access Tokens
When using this feature, ensure you generate and use a Personal Access Token (PAT). This feature is not compatible with Service Account tokens, and using them may result in unexpected behavior or errors.
Follow these steps to authenticate using your Snyk Personal Access Token:
Create your Personal Access Token. For details, see the Authentication for API page.
Run the
snyk auth <PAT>
CLI command, supplying your Personal Access Token as a command arg.After you successfully authenticate, the PAT is stored locally for future use.
All subsequent commands requiring Snyk authorization will use the configured PAT.
Steps to retrieve the Snyk API token and use it to authenticate
This method is inferior to the OAuth 2.0 method.
Follow these steps to authenticate using your Snyk API token:
Run the
snyk auth --auth-type=token
CLI command.Log in, if required.
The next page prompts you to authenticate your machine to associate the Snyk CLI or the IDE plugin with your account. Click Authenticate.
After you successfully authenticate, a confirmation message appears. Close the browser window and return to the CLI in the terminal.
After you complete the dialog, the API token is stored locally for future use.
All subsequent test
commands will be authenticated automatically.
Steps to authenticate using a known Snyk API token
You can copy your personal API token from your General Account settings (under your username) in the Snyk Web UI, and then configure your CLI to use it locally.
All CLI test
commands can automatically recognize the environment variable SNYK_TOKEN
and use it for authentication. For details, see Environment variables for Snyk CLI.
To use API token-based authentication, set the SNYK_TOKEN
environment variable and run the test
command, for example:
SNYK_TOKEN=<SNYK_API_TOKEN> snyk test
Alternatively, you can export the environment variable to make it available for future test
commands:
export SNYK_TOKEN=<SNYK_API_TOKEN>
snyk test
This form of authentication is particularly useful for CI/CD pipelines. See How to authenticate to use the CLI in CI/CD pipelines.
You can also store the Snyk API token locally for later use by running the following CLI command:
snyk auth <SNYK_API_TOKEN>
All subsequent test calls will be authenticated automatically. For more information, see the Auth command help.
How to authenticate to use the CLI in CI/CD pipelines
Free and Team plan users are more likely to use this method in a CI/CD pipeline than to use OAuth 2.0. Enterprise plan customers are advised to use a service account in a CI/CD pipeline. For details about when to use a PAT and when to use a service account token, see Authentication for API.
All CLI test
commands can automatically recognize the environment variable SNYK_TOKEN
and use it for authentication. For details, see Environment variables for Snyk CLI.
To use PAT-based authentication, set the SNYK_TOKEN
environment variable and run the test
command, for example:
SNYK_TOKEN=<SNYK_PAT> snyk test
Alternatively, you can export the environment variable to make it available for future test
commands:
export SNYK_TOKEN=<SNYK_PAT>
snyk test
You can also store the Snyk PAT locally for later use by running the following CLI command:
snyk auth <SNYK_PAT>
All subsequent test calls will be authenticated automatically. For more information, see the Auth command help.
Last updated
Was this helpful?