your-company.safedep.io) and a credential. The credential type depends on which API plane the tool calls:
- Data plane (
api.safedep.io): package insights, scanning, and sync. Authenticates with an API key. - Control plane (
cloud.safedep.io): tenant, policy, and management operations, including SQL queries. Authenticates with a JWT from an OAuth2 login.
safedep CLI
safedep auth login runs an OAuth2 device flow in your browser, selects a tenant, creates an API key, and stores the credentials in your OS keychain:
--api-key-value, stdin (with --from-stdin), the SAFEDEP_API_KEY environment variable, or an interactive prompt, in that order. Work with multiple tenants using --profile and safedep auth profile list. See the CLI command reference for all flags.
vet
vet uses an API key for scanning and sync:vet cloud use the OAuth2 device flow instead:
rm ~/.safedep/vet-auth.yml.
CI/CD pipelines
Tools read credentials from environment variables, so pipelines need no interactive login:SAFEDEP_CLOUD_API_KEY and SAFEDEP_CLOUD_TENANT_DOMAIN. vet-action reads them through its cloud-key and cloud-tenant inputs instead of environment variables.
For working pipeline configurations (GitHub Actions, GitLab, Jenkins, Azure DevOps), see Cloud Sync.
Troubleshooting
Identity not registered
Tenant not found
vet auth configure --tenant <tenant-domain> or vet cloud login --tenant <tenant-domain>. If you’ve forgotten your tenant domain, run vet cloud login followed by vet cloud whoami to list the tenants you can access.
Checking credentials
API Reference
Transport, request headers, OAuth2/OIDC, and rate limits
Cloud Quickstart
Create a tenant and log in with the safedep CLI
Cloud Sync
Send data to your tenant from vet, PMG, and endpoint scans
API Specification
Canonical gRPC/ConnectRPC schemas and generated SDKs

