Server Authentication

Warning

This content is part of the legacy version of Waypoint that is no longer actively maintained. For additional information on the new vision of Waypoint, check out this blog post and the HCP Waypoint documentation.

All connections to the Waypoint server via the CLI or UI require authentication. Waypoint supports authentication using an API token or via OpenID Connect (OIDC). OIDC allows Waypoint to use existing accounts from providers such as Google, Okta, GitLab, and more.

If you're a new user that ran waypoint install, the auth token was automatically configured for your local CLI. As a next step, we recomend setting up OIDC.

Logging In

To log in in the Waypoint UI, open the UI in your browser and follow the onscreen instructions.

To log in using either a token or OIDC, use the waypoint login command. Specify the address to the Waypoint server as the argument:

$ waypoint login 127.0.0.1:9701
...

If the server is configured to use OIDC, then this will open your browser to complete authentication. Otherwise, the command will prompt you for your token by asking you to specify the -token flag. After successfully logging in, your CLI is configured with your authentication information.

For automation-based workflows, you may also set the WAYPOINT_SERVER_ADDR and WAYPOINT_SERVER_TOKEN environment variables. This will be used instead of any current saved auth information if it is present.

Invite Teammates

If using OIDC, other teammates can attempt to authenticate using the UI or waypoint login. This will create a new account if they're allowed to authenticate.

For tokens, use the waypoint user invite CLI command with the -username flag. This will create an invite token that can be exchanged for a token for a specific user.

To invite a new user alice:

$ waypoint user invite -username=alice
svESKuVYKeLkgFP3heNanrhvwiMfxfM7q7d3m8UTU3fTDwetfq9vMsBtdqeRmKakXZXJjLDinApxkDcVe594vR2FfVeF3m6gupZ8NVcSC

After giving Alice the invite token, they can setup their account using the standard waypoint login flow.

Revoke, Inspect, etc.

Waypoint currently doesn't have any mechanism to revoke sessions, audit token usage, inspect existing sessions, etc. We plan on expanding our authentication system to support this in the future.