Skip to main content
The CLI supports multiple authentication methods for different environments and use cases.

Interactive login

The default authentication method opens your browser for a secure login flow. 
cpln login
This command:
  1. Opens your default browser
  2. Prompts you to authenticate via Control Plane
  3. Creates a default profile with your credentials
After successful authentication, the CLI is ready to use with your default profile.
When you run cpln login in WSL2, the localhost URL won’t work in your Windows browser because it points to the WSL2 instance, not Windows.Solution: Install a browser in WSL2 (requires WSLg):
cd /tmp
sudo wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo dpkg -i google-chrome-stable_current_amd64.deb
sudo apt install --fix-broken -y
sudo dpkg -i google-chrome-stable_current_amd64.deb
After installation, Chrome appears in your Windows Start menu under the distro name (e.g., Ubuntu → Google Chrome). Run cpln login, copy the localhost URL from the terminal, and paste it into your WSL2 Chrome.Alternative: Use browser-less login with a service account token.

Browser-less authentication

For environments without browser access (SSH sessions, CI/CD, containers), use a service account token.
1

Create a service account

  1. Click Service Accounts in the left menu and click New (or use the Create dropdown in the upper right corner)
  2. Enter a unique name and optional description
  3. Click Next (Tags), add any optional tags, then click Create
See the Create a Service Account guide for details.
2

Generate a key

  1. Open the service account you created
  2. Click the Keys link
  3. Enter a key description and click Add
  4. Copy and download the generated key securely
3

Authenticate with the token

Use the token directly or create a profile:
For detailed browser-less setup, see the Browser-less CLI Login guide.

Token management

View your current token

Display the token for a profile: 
cpln profile token <profile-name>

Override token for a single command

Use a different token without changing your profile: 
cpln gvc get <gvc-name> --token <your-token>

Token precedence

The CLI uses tokens in this order:
  1. --token flag (highest priority)
  2. CPLN_TOKEN environment variable
  3. Profile token (default)

Authentication for CI/CD

For automated environments:
  1. Create a service account with appropriate permissions
  2. Generate a key and store it securely (e.g., CPLN_TOKEN in secrets manager)
  3. Create a profile in your CI/CD pipeline
cpln profile create ci --org <org-name> --default
See CI/CD usage for complete automation setup.

Troubleshooting

If the browser doesn’t open automatically, copy the URL displayed in the terminal and paste it into your browser manually. Complete the login flow in the browser to authenticate.
The CLI uses your system’s default browser. Change your default browser in your OS settings, or copy the URL from the terminal and paste it into your preferred browser.
A 403 error typically means one of the following:
  • Wrong org: You’re trying to access an org you don’t have access to, or there’s a typo in the org name. Verify with cpln profile get.
  • Missing token: No token is provided. Ensure CPLN_TOKEN is set or you’re using a profile with a valid token.
  • Insufficient permissions: Your token doesn’t have the required permissions. Generate a new key or re-login to refresh your token: 
    cpln login
    Or for service accounts: 
    cpln serviceaccount add-key <name> --description <key-description>
For more troubleshooting help, see the Troubleshooting page.

Next steps

Profiles

Manage multiple authentication contexts

CI/CD Setup

Automate with service accounts