docs: enhance login documentation with detailed authentication methods and examples

2026-01-09 15:38:03 -05:00 · 2025-10-21 15:54:46 -03:00
parent 80aa473bca
commit c68da12018
1 changed files with 196 additions and 7 deletions
--- a/docs/cli/commands/login.mdx
+++ b/docs/cli/commands/login.mdx
@@ -9,22 +9,92 @@ infisical login

 ### Description

-The CLI uses authentication to verify your identity. When you enter the correct email and password for your account, a token is generated and saved in your system Keyring to allow you to make future interactions with the CLI.
+The CLI uses authentication to verify your identity. You can authenticate using:
+- **Browser Login** (default): Opens a browser for authentication
+- **Direct Login**: Provide email and password via flags or environment variables for non-interactive workflows
+- **Interactive CLI Login**: Use the `--interactive` flag to enter credentials via CLI prompts
+
+When authenticated, a token is generated and saved in your system Keyring to allow you to make future interactions with the CLI.

 To change where the login credentials are stored, visit the [vaults command](./vault).

 If you have added multiple users, you can switch between the users by using the [user command](./user).

    <Info>
-      When you authenticate with **any other method than `user`**, an access token will be printed to the console upon successful login. This token can be used to authenticate with the Infisical API and the CLI by passing it in the `--token` flag when applicable.
-
-      Use flag `--plain` along with `--silent` to print only the token in plain text when using a machine identity auth method.
-
+      **JWT Token Output:**
+      - For **user authentication** with the `--plain` flag: outputs only the JWT access token (useful for scripting)
+      - For **machine identity authentication**: an access token is always printed to the console
+      
+      Use the `--plain` flag to print only the token in plain text, which is ideal for capturing in environment variables or CI/CD pipelines.
    </Info>

 ### Authentication Methods

-The Infisical CLI supports multiple authentication methods. Below are the available authentication methods, with their respective flags.
+The Infisical CLI supports two main categories of authentication: User Authentication and Machine Identity Authentication.
+
+#### User Authentication
+
+User authentication is designed for individual developers and supports multiple login flows.
+
+<AccordionGroup>
+<Accordion title="User">
+  The User authentication method allows you to log in with your email and password. This method supports three different login flows:
+
+  - **Browser Login** (default): Opens a browser for authentication
+  - **Direct Login**: Provide credentials via flags or environment variables for CI/CD
+  - **Interactive CLI Login**: Enter credentials via CLI prompts using `--interactive`
+
+  <ParamField query="Flags">
+    <Expandable title="properties">
+        <ParamField query="email" type="string" optional>
+          Your email address. Required for direct login along with `--password`.
+        </ParamField>
+        <ParamField query="password" type="string" optional>
+          Your password. Required for direct login along with `--email`.
+        </ParamField>
+        <ParamField query="interactive" type="boolean" optional>
+          Force interactive CLI login instead of browser-based authentication.
+        </ParamField>
+        <ParamField query="plain" type="boolean" optional>
+          Output only the JWT token (useful for scripting and CI/CD).
+        </ParamField>
+    </Expandable>
+  </ParamField>
+
+  <Steps>
+    <Step title="Choose your login method">
+      **Browser Login (Default)**
+      ```bash
+      infisical login
+      ```
+
+      **Direct Login (CI/CD)**
+      ```bash
+      infisical login --email=user@example.com --password=your-password
+      
+      # Or using environment variables
+      export INFISICAL_EMAIL="user@example.com"
+      export INFISICAL_PASSWORD="your-password"
+      infisical login
+      ```
+
+      **Interactive CLI Login**
+      ```bash
+      infisical login --interactive
+      ```
+
+      **Plain Token Output (for scripting)**
+      ```bash
+      export INFISICAL_TOKEN=$(infisical login --email=user@example.com --password=your-password --plain)
+      ```
+    </Step>
+  </Steps>
+</Accordion>
+</AccordionGroup>
+
+#### Machine Identity Authentication
+
+Machine identity authentication methods are designed for automated systems, services, and CI/CD pipelines.

 <AccordionGroup>
 <Accordion title="Universal Auth">
@@ -330,6 +400,59 @@ The login command supports a number of flags that you can use for different auth
    </Tip>

  </Accordion>
+  <Accordion title="--email">
+    ```bash
+    infisical login --email=<email> --password=<password>
+    ```
+
+    #### Description
+    Email address for direct user login. Must be used together with `--password` for non-interactive authentication.
+
+    <Tip>
+      The `email` flag can be substituted with the `INFISICAL_EMAIL` environment variable.
+    </Tip>
+
+  </Accordion>
+  <Accordion title="--password">
+    ```bash
+    infisical login --email=<email> --password=<password>
+    ```
+
+    #### Description
+    Password for direct user login. Must be used together with `--email` for non-interactive authentication.
+
+    <Warning>
+      For security in CI/CD environments, prefer using the `INFISICAL_PASSWORD` environment variable instead of passing the password as a command-line flag.
+    </Warning>
+
+    <Tip>
+      The `password` flag can be substituted with the `INFISICAL_PASSWORD` environment variable.
+    </Tip>
+
+  </Accordion>
+  <Accordion title="--interactive">
+    ```bash
+    infisical login --interactive
+    ```
+
+    #### Description
+    Forces interactive CLI login where you'll be prompted to enter your email and password in the terminal, instead of opening a browser.
+
+  </Accordion>
+  <Accordion title="--plain">
+    ```bash
+    infisical login --email=<email> --password=<password> --plain
+    ```
+
+    #### Description
+    When used with direct user login or machine identity authentication, outputs only the JWT access token without any additional formatting. This is useful for scripting and CI/CD pipelines where you need to capture the token.
+
+    ```bash
+    # Example: Capture token in a variable
+    export INFISICAL_TOKEN=$(infisical login --email=<email> --password=<password> --plain)
+    ```
+
+  </Accordion>
 </AccordionGroup>

  <Accordion title="--oidc-jwt">
@@ -346,6 +469,72 @@ The login command supports a number of flags that you can use for different auth

  </Accordion>

+### User Authentication Examples
+
+The following examples demonstrate different ways to authenticate as a user with the Infisical CLI.
+
+<AccordionGroup>
+  <Accordion title="Direct Login (Non-Interactive)">
+    Direct login is ideal for CI/CD pipelines and automation scripts where browser-based authentication is not possible.
+
+    #### Using Command-Line Flags
+
+    ```bash
+    # Basic direct login
+    infisical login --email user@example.com --password "your-password"
+
+    # With custom domain (US Cloud)
+    infisical login --email user@example.com --password "your-password" --domain https://app.infisical.com
+
+    # With custom domain (EU Cloud)
+    infisical login --email user@example.com --password "your-password" --domain https://eu.infisical.com
+
+    # Output only JWT token for scripting
+    export INFISICAL_TOKEN=$(infisical login --email user@example.com --password "your-password" --plain)
+    ```
+
+    #### Using Environment Variables (Recommended for CI/CD)
+
+    ```bash
+    # Set credentials as environment variables
+    export INFISICAL_EMAIL="user@example.com"
+    export INFISICAL_PASSWORD="your-password"
+    export INFISICAL_API_URL="https://app.infisical.com/api"
+
+    # Login without additional flags
+    infisical login
+
+    # Or with plain output for token capture
+    export INFISICAL_TOKEN=$(infisical login --plain)
+    ```
+  </Accordion>
+
+  <Accordion title="Interactive CLI Login">
+    Interactive login prompts you to enter credentials in the terminal instead of opening a browser.
+
+    ```bash
+    # Force interactive CLI login
+    infisical login --interactive
+    ```
+
+    You'll be prompted to enter:
+    - Email address
+    - Password
+
+  </Accordion>
+
+  <Accordion title="Browser Login (Default)">
+    By default, running `infisical login` without any flags opens your browser for authentication.
+
+    ```bash
+    # Opens browser for authentication
+    infisical login
+    ```
+
+    The browser will open to the Infisical login page, and upon successful authentication, the CLI will be automatically authenticated.
+
+  </Accordion>
+</AccordionGroup>

 ### Machine Identity Authentication Quick Start

@@ -367,7 +556,7 @@ In this example we'll be using the `universal-auth` method to login to obtain an
        ```
    </Step>

-      <Step title="Fetch all secrets from an evironment">
+      <Step title="Fetch all secrets from an environment">
        ```bash
          infisical secrets --projectId=<your-project-id --env=dev --recursive
        ```