> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authentication methods for Console UI (SSO via Google, GitHub, Microsoft, SAML) and CLI (interactive login, service accounts, and token management).

Control Plane supports multiple authentication methods depending on how you access the platform.

***

## Console UI

The Console uses single sign-on (SSO) for user authentication with the following providers:

<CardGroup cols={4}>
  <Card title="Google" icon="google" />

  <Card title="GitHub" icon="github" />

  <Card title="Microsoft" icon="microsoft" />

  <Card title="SAML" icon="key" />
</CardGroup>

After successful authentication, users' access privileges are determined based on their assigned [group membership](/reference/group) or [policy](/reference/policy).

<Accordion title="SAML Configuration" icon="gear">
  To enable SAML authentication for your organization, contact us on Slack or at [support@controlplane.com](mailto:support@controlplane.com).

  **Values required from your authentication provider:**

  * Entity ID
  * SSO URL
  * Certificate

  **Control Plane SAML configuration values:**

  * Service Provider Entity ID: `cpln.io`
  * Assertion Consumer Service (ACS) / Callback URL: `https://console.cpln.io/__/auth/handler`
</Accordion>

***

## CLI

The CLI supports two authentication methods:

<Tabs>
  <Tab title="Interactive Login">
    For interactive use, run the login command which opens your browser for SSO authentication:

    ```bash theme={null}
    cpln login
    ```

    This creates a default profile with your credentials.
  </Tab>

  <Tab title="Service Account Token">
    For CI/CD pipelines and automation, use a service account token:

    ```bash theme={null}
    # Create a profile with a service account token
    cpln profile create PROFILE_NAME --org ORG_NAME --token TOKEN --default
    ```

    The `--default` flag makes this profile active for all future commands.

    You can also use the `CPLN_TOKEN` environment variable:

    ```bash theme={null}
    export CPLN_TOKEN=your-service-account-token
    ```
  </Tab>
</Tabs>

<Card title="CLI Authentication Guide" icon="terminal" href="/cli-reference/get-started/authentication">
  Complete guide for CLI authentication including browser-less setup for CI/CD
</Card>

***

## Terraform

Configure the provider with your organization and authentication credentials:

```hcl theme={null}
provider "cpln" {
  org   = "your-org-name"
  token = var.cpln_token  # Service account token
}
```

Or use environment variables:

```bash theme={null}
export CPLN_ORG=your-org-name
export CPLN_TOKEN=your-service-account-token
```

<Card title="Terraform Provider" icon="cube" href="/iac/terraform">
  Complete Terraform provider setup and configuration
</Card>

***

## Pulumi

Configure authentication using Pulumi config or environment variables:

<Tabs>
  <Tab title="Pulumi Config">
    ```bash theme={null}
    pulumi config set cpln:org your-org-name
    pulumi config set --secret cpln:token your-service-account-token
    ```
  </Tab>

  <Tab title="Environment Variables">
    ```bash theme={null}
    export CPLN_ORG=your-org-name
    export CPLN_TOKEN=your-service-account-token
    ```
  </Tab>
</Tabs>

<Card title="Pulumi Provider" icon="cube" href="/iac/pulumi">
  Complete Pulumi provider setup and configuration
</Card>

***

## REST API

Authenticate API requests using a bearer token in the `Authorization` header:

```bash theme={null}
curl --request GET \
  --url https://api.cpln.io/org/your-org/gvc \
  --header 'Authorization: Bearer YOUR_TOKEN'
```

Tokens can be obtained from:

* **Service account key**: Generated when creating a service account
* **User access token**: Run `cpln profile token PROFILE_NAME`

<Card title="API Reference" icon="code" href="/api-reference/api">
  Complete API documentation with interactive examples
</Card>

***

## Service Accounts

For programmatic access (CI/CD, automation, IaC), create a [service account](/reference/serviceaccount) and generate a key:

<Steps>
  <Step title="Create a service account">
    In the Console, navigate to **Service Accounts** and click **New**, or use the CLI:

    ```bash theme={null}
    cpln serviceaccount create --name my-service-account --org my-org
    ```
  </Step>

  <Step title="Generate a key">
    ```bash theme={null}
    cpln serviceaccount add-key my-service-account --org my-org
    ```

    <Warning>
      The key is displayed only once. Save it immediately in a secure location.
    </Warning>
  </Step>

  <Step title="Grant permissions">
    Add the service account to a [group](/reference/group) or create a [policy](/reference/policy) granting it the necessary permissions.
  </Step>

  <Step title="Use the token">
    Use the generated key as your token in the CLI, Terraform, Pulumi, or API requests.
  </Step>
</Steps>

<Card title="Create a Service Account" icon="robot" href="/guides/create-service-account">
  Step-by-step guide for creating and configuring service accounts
</Card>