Authentication#
Authentication is required for the majority of the Buf CLI commands that interact with the Buf Schema Registry (BSR). There are two main ways to authenticate:
- Use
buf registry login. We recommend this for local development authentication. - Populate a
BUF_TOKENenvironment variable. We recommend this for CI systems.
In either case, you're using an authentication token generated by the BSR.
You don't need credentials to view public modules in the public BSR. You can give it a try here: https://buf.build/connectrpc/eliza/sdks/main
Authenticating locally#
Log in#
To authenticate with the CLI:
-
Log in to the BSR from the command line:
If you're on a private BSR instance, specify it in the command:
-
Your browser opens. Log into the BSR and click Approve to approve the CLI access.
Log out#
To log out, run
Tokens#
Create an API token#
- Go to your account settings.
- Click the Create New Token button, select an expiration time, and add a note for yourself to distinguish this token from others.
- Click Create and copy the token to your clipboard.
This token identifies you to the BSR and must be kept secret.
Revoke an API token#
An API token can be revoked from the same user settings page. Simply find the name of the token in the list and delete it. It immediately ceases to be a valid authentication method.
Bot users for Pro and Enterprise#
Pro and Enterprise users can create bot users and associated tokens. Bot users are headless users created and managed by the BSR instance administrators.
- Go to the admin panel for your private BSR instance and select Bot Users in the left side menu.
For example, if your server is
https://buf.example.com, then it's available athttps://buf.example.com/admin/bot-users. - Click the Create bot user button, then input a username to create the bot user.
- After the user is created, click on its name to go to the user details page and manage its tokens there.
Authenticating in CI#
If you wish to add authentication to your continuous integration jobs, we recommend storing the token in your provider's secret storage.
Access the secret token as specified by your CI provider and make it available as a BUF_TOKEN environment variable .
If this isn't possible, you can also login via the Buf CLI (assuming BUF_TOKEN is set):
For GitHub Actions, follow these steps:
- On your repository, go to Settings > Secrets and variables > Actions.
- Click "New repository secret".
- Name the secret
BUF_TOKEN. - Paste the token as the value and click "Add secret".
You can now use any of the authenticated Buf CLI commands, such as buf push.
Advanced#
Where BSR credentials are stored locally#
Credentials are stored in $HOME/.netrc.
After running buf registry logout, all existing BSR credentials are removed from $HOME/.netrc.
If you're developing on a Windows machine, the credentials file is %HOME%/_netrc.
For more information on .netrc, check out the curl documentation.
BUF_TOKEN formats#
BUF_TOKEN is an environment variable that holds the API token used for authentication.
It can contain either a single or multiple tokens.
Single token#
BUF_TOKEN can contain a single token that's used when authenticating with the BSR.
You can set BUF_TOKEN by running this command:
Multiple tokens#
The BUF_TOKEN environment variable can also contain tokens with specific BSR addresses.
Each token has the format ${BUF_TOKEN}@${BSR_HOSTNAME} with multiple tokens separated by a comma.
The Buf CLI finds the correct authentication token for each remote address.
You can set BUF_TOKEN by running the following command:
Order of precedence#
The order of precedence for CLI authentication is:
- The
BUF_TOKENenvironment variable is used if it's set. - The
.netrcfile.
IP address blocking#
We block access to all BSR instances from any IP address that Google classifies as being located in a country sanctioned by the US OFAC. Trying to access the BSR from these IP addresses results in a 403: Forbidden error.
If you believe your IP addresses are being categorized erroneously, you can report the issue directly to Google.