Skip to main content
Every tool that talks to SafeDep Cloud authenticates with two values: a tenant domain (for example your-company.safedep.io) and a credential. The credential type depends on which API plane the tool calls:
  • Data plane (api.safedep.io): package insights, scanning, and sync. Authenticates with an API key.
  • Control plane (cloud.safedep.io): tenant, policy, and management operations, including SQL queries. Authenticates with a JWT from an OAuth2 login.
Generate API keys at app.safedep.io/settings/api-keys. For request headers, OAuth2/OIDC endpoints, and rate limits, see the API reference. For the full hostname list, see the endpoints reference.

safedep CLI

safedep auth login runs an OAuth2 device flow in your browser, selects a tenant, creates an API key, and stores the credentials in your OS keychain:
For non-interactive environments, log in with a static API key instead of the device flow:
The key is read from --api-key-value, stdin (with --from-stdin), the SAFEDEP_API_KEY environment variable, or an interactive prompt, in that order. Work with multiple tenants using --profile and safedep auth profile list. See the CLI command reference for all flags.

vet

vet uses an API key for scanning and sync:
You will be prompted to enter the API key. Verify the connection:
Control plane commands under vet cloud use the OAuth2 device flow instead:
To log out, delete the stored credentials: rm ~/.safedep/vet-auth.yml.

CI/CD pipelines

Tools read credentials from environment variables, so pipelines need no interactive login:
Store both as CI secrets. Across SafeDep docs, the secret names are SAFEDEP_CLOUD_API_KEY and SAFEDEP_CLOUD_TENANT_DOMAIN. vet-action reads them through its cloud-key and cloud-tenant inputs instead of environment variables. For working pipeline configurations (GitHub Actions, GitLab, Jenkins, Azure DevOps), see Cloud Sync.

Troubleshooting

Identity not registered

Your identity is not registered with SafeDep Cloud. Sign up first: see the quickstart.

Tenant not found

No tenant is configured. Set it with vet auth configure --tenant <tenant-domain> or vet cloud login --tenant <tenant-domain>. If you’ve forgotten your tenant domain, run vet cloud login followed by vet cloud whoami to list the tenants you can access.

Checking credentials

API Reference

Transport, request headers, OAuth2/OIDC, and rate limits

Cloud Quickstart

Create a tenant and log in with the safedep CLI

Cloud Sync

Send data to your tenant from vet, PMG, and endpoint scans

API Specification

Canonical gRPC/ConnectRPC schemas and generated SDKs