# chainctl auth login

URL: https://edu.chainguard.dev/chainguard/chainctl/chainctl-docs/chainctl_auth_login.md
Last Modified: April 20, 2026
Tags: chainctl, Reference, Product

 chainctl auth login Login to the Chainguard platform.
chainctl auth login [--invite-code=INVITE_CODE] [--identity-token=PATH_TO_TOKEN] [--identity=IDENTITY_ID] [--identity-provider=IDP_ID] [--org-name=ORG_NAME] [--audience=AUDIENCE]... [--social-login={email|google|github|gitlab}] [--headless] [--prefer-ambient-credentials] [--refresh] [--output=id|json|none|table] Examples # Default auth login flow: chainctl auth login # Refreshing a token within a Kubernetes context: chainctl auth login --identity-token=PATH_TO_TOKEN --refresh # Headless login using --org-name chainctl auth login --headless --org-name my-org # Register by accepting an invite to an existing location chainctl auth login --invite-code eyJncnAiOiI5MzA... Options --audience stringArray The Chainguard token audience to request. Can be specified multiple times to create separate tokens. --headless Skip browser authentication and use device flow. --identity string The unique ID of the identity to assume when logging in. --identity-provider string The unique ID of the customer managed identity provider to authenticate with --identity-token string Use an explicit passed identity token or token path. --invite-code string Registration invite code. --org-name string Organization to use for authentication. If configured the organization&#39;s custom identity provider will be used --prefer-ambient-credentials Auth with ambient credentials, if present, before using a supplied identity token. --refresh Enable auto refresh of the Chainguard token (for workloads). --refresh-only Only refresh existing tokens, skip initial token creation (implies --refresh). Must authenticate separately. --social-login string Which of the default identity providers to use for authentication. Must be one of: email, google, github, gitlab --sts-http1-downgrade Downgrade STS requests to HTTP/1.x Options inherited from parent commands --api string The url of the Chainguard platform API. (default &#34;https://console-api.enforce.dev&#34;) --config string A specific chainctl config file. Uses CHAINCTL_CONFIG environment variable if a file is not passed explicitly. --console string The url of the Chainguard platform Console. (default &#34;https://console.chainguard.dev&#34;) --force-color Force color output even when stdout is not a TTY. -h, --help Help for chainctl --issuer string The url of the Chainguard STS endpoint. (default &#34;https://issuer.enforce.dev&#34;) --log-level string Set the log level (debug, info) (default &#34;ERROR&#34;) -o, --output string Output format. One of: [csv, env, go-template, id, json, markdown, none, table, terse, tree, wide] -v, --v int Set the log verbosity level. SEE ALSO chainctl auth	- Auth related commands for the Chainguard platform.