Keptn v1 reached EOL December 22, 2023. For more information see

Authenticate Keptn CLI and Bridge

After you install Keptn, you must authenticate the Keptn CLI and Bridge against the Keptn cluster. To do this, you need to:

  • Get the exposed Keptn endpoint
  • Get the API token
  • Run keptn auth, supplying the Keptn endpoint and API token

The Keptn endpoint and the API token are created during the Keptn installation.

Authenticate CLI on Linux and MacOS

Do the following from the shell:

  1. Get the Keptn endpoint from the api-gateway-nginx. Follow the instructions in Choose access options to get the Keptn endpoint for the access option you are using and, optionally, storing that endpoint in an environment variable.

  2. Set the environment variable KEPTN_API_TOKEN:

    KEPTN_API_TOKEN=$(kubectl get secret keptn-api-token -n keptn `
        -ojsonpath={.data.keptn-api-token} | base64 --decode)
  3. To authenticate the CLI against the Keptn cluster, use the keptn auth command:

    keptn auth --endpoint=$KEPTN_ENDPOINT --api-token=$KEPTN_API_TOKEN

    Note: If you receive a warning Using a file-based storage for the key because the password-store seems to be not set up., it means that no password store could be found in your environment. In this case, the credentials are stored in ~/.keptn/.password-store in your home directory.

Authenticate CLI on Windows

Do the folllowing in the Windows Command Line:

  1. Set the environment variable KEPTN_ENDPOINT:

  2. Get the Keptn API Token encoded in base64:

    kubectl get secret keptn-api-token -n keptn -ojsonpath={.data.keptn-api-token}
  3. Save the encoded API token in a text file such as keptn-api-token-base64.txt.

  4. Decode the file:

    certutil -decode keptn-api-token-base64.txt keptn-api-token.txt
  5. Open the newly created file keptn-api-token.txt, copy the value, and paste it into the next command:

    set KEPTN_API_TOKEN=<your-token>
  6. To authenticate the CLI against the Keptn cluster, use the keptn auth command:

    keptn.exe auth --endpoint=$Env:KEPTN_ENDPOINT --api-token=$Env:KEPTN_API_TOKEN

Authenticate Keptn Bridge

After installing and exposing Keptn, you can access the Keptn Bridge by using a browser and navigating to the Keptn endpoint without the api path at the end of the URL. You can also use the Keptn CLI to retrieve the Bridge URL using:

keptn status

The Keptn Bridge has basic authentication enabled by default and the default user is keptn with an automatically generated password.

  • To get the username for authentication, execute:
kubectl get secret -n keptn bridge-credentials -o jsonpath="{.data.BASIC_AUTH_USERNAME}" | base64 --decode
  • To get the password for authentication, execute:
kubectl get secret -n keptn bridge-credentials -o jsonpath="{.data.BASIC_AUTH_PASSWORD}" | base64 --decode
  • If you want to change the user and password for the authentication, follow the instructions here.

See OpenID Authorization for information about using OAUTH authorization for the Keptn Bridge.