We use cookies to understand how people use Depot.
Depot CLI

Authentication

We provide three different options you can use to authenticate your build to our remote Docker builders via the depot CLI.

User access tokens

You can generate an access token tied to your Depot account that can be used for builds in any project in any organization you have access to. When you run depot login we authenticate your account and generate a new user access token that all builds from your machine use by default. It is recommended to only use these for local development and not in CI environments.

To generate a user access token, you can go through the following steps:

  1. Open your Account Settings
  2. Enter a description for your token under API Tokens
  3. Click Create token

Project tokens

Unlike user access tokens, project tokens are tied to a specific project in your organization and not a user account. These are ideal for building images with Depot from your existing CI provider. They are not tied to a single user account and are restricted to a single project in a single organization.

To generate a project token, you can go through the following steps:

  1. Open your Project Details page by clicking into a project from your projects list
  2. Click the Settings button next to your project ID
  3. Enter a token description and click create token

OIDC trust relationships

If you are using GitHub Actions as your CI provider, we can directly integrate with GitHub's OIDC token via trust relationships. This is a great way to plug Depot into your existing Actions workflows as it requires no static secrets and credentials are short-lived.

You configure a trust relationship in Depot that allows your GitHub repository and actions workflows to access your project via a token exchange. The workflow requests an access token from Depot, we check the details of the request to see if they match a configured trust relationship for your project. If all things match, we generate a temporary access token and return it to the workflow. This temporary access token is only valid for the duration of the job that requested it.

To add a trust relationship, you can go through the following steps:

  1. Open your Project Details page by clicking into a project from your projects list
  2. Click the Settings button next to your project ID
  3. Enter a GitHub User or Organization for the trust relationship
  4. Enter the full url for GitHub repository that will build images via Depot
  5. Select the workflows that will be allowed to start builds in your project
    • All workflows, excluding pull_request: All workflows will be allowed to start builds in your project, except for builds that are triggered by pull requests. This is because pull requests could be opened by developers outside your team (i.e., a fork) so you may not want to allow those workflows access to your Depot project.
    • Only pull_request workflows: Only pull requests will be allowed to start builds in your project.
    • All workflows: All workflows will be allowed to invoke builds in your project.
  6. Click Add trust relationship

Once you have a trust relationship configured, you can update your action workflows to make use of GitHub's OIDC token with Depot. See our GitHub Actions guide for more details.