Logging in
Three ways to authenticate the Pentify Terminal: browser-driven device pairing (recommended), pasting an API token, or the PENTIFY_API_TOKEN env var for CI.
Sign in with Pentify (recommended)
- Run
pentify login. - Your browser opens to
https://app.pentify.io/auth/terminal-pair?device_id=…&device_name=<hostname>. - Sign in to your Pentify workspace (Clerk).
- Click Authorize this device.
- Return to the terminal — pairing completes automatically and the token is written to the OS keychain.
pt_live_* API key, named Pentify Terminal · <hostname>, with scopes scans:read scans:write targets:read targets:write reports:read usage:read. View or revoke at app.pentify.io/settings/api-keys.Paste an existing API token
For users who already have an API key from Settings → API keys:
pentify auth use-token pt_live_…The token is validated against /v1/usage and stored in the OS keychain. If the key is rejected, the keychain entry is not written.
Use the PENTIFY_API_TOKEN env var (CI / headless)
On servers, build agents, or any host without an interactive browser, skip pentify login entirely and pass the token via env:
export PENTIFY_API_TOKEN=pt_live_…
pentify scans list # uses the env var directly, no login neededWhen PENTIFY_API_TOKEN is set, the Terminal ignores the keychain entry for the active workspace and uses the env value. Unset it to fall back to the keychain.
Logout / re-pair
pentify logoutclears the keychain entry on the local machine.- Re-running
pentify loginre-pairs. The previous token is auto-revoked server-side, so older shells using it will start returning401 invalid_api_key.
Multi-workspace users
If your account is in more than one Pentify workspace, the browser pairing page shows a workspace picker. The Terminal stores one token per active workspace. To switch:
pentify login --workspace <name>This re-pairs to the named workspace. Tokens for other workspaces remain in the keychain — switch back with the same flag.
pairing timed out — re-run pentify login. See Troubleshooting.