Skip to main content

ggshield auth login


Authenticate with a GitGuardian workspace.

ggshield auth login [OPTIONS]

ggshield needs an API key to work. Under the hood, this command automates the provisioning of a personal access token and its configuration on the local workstation.

The default authentication mode is a web-based browser flow. Alternatively, use the --method=token to pass in an already existing token. The required scope for the personal access token is: scan

If a valid personal access token is already configured, this command simply displays a success message indicating that ggshield is already ready to use.


  • --method={web|token}: the method used for the authentication flow: . Default is web.
  • --instance: URL of the instance to authenticate against. Default is GitGuardian SaaS URL:
  • --sso-url: URL of your SSO login page to force the authentication flow through your workspace SSO
  • --token-name <string>: the name you want to specify for your token. If not provided, GitGuardian will fallback to "ggshield token 20XX-XX-XX".
  • --lifetime: Number of days before the token expires. 0 means the token never expires.

ggshield global options#

  • -h, --help: display detailed help


# start interactive web-based flow$ ggshield auth login
# force the authentication flow through a SSO$ ggshield auth login --sso-url
# specify the name of the personal access token about to be provisioned$ ggshield auth login --token-name mytoken
# authenticate with an already existing token$ ggshield auth login --method=token 52c95553b17c2aBfc39fc1cbDF6ce06ff2a48EFecA3B06f61B0F3ccb5FBCFeC76XXXXXX
# authenticate again a self-hosted GitGuardian instance$ ggshield auth login --instance https://dashboard.gitguardian.mycorp.local