Terminus Machine Tokens (Auth0 Logins)

It’s been over two years since the first implementation of Pantheon’s command line interface—Terminus—was released, and in that time a lot has changed. Today I’m happy to announce that we’ve added a major improvement for developers using Terminus to help with Continuous Integration, automated testing, or other scripted workflows: machine tokens.

Up to now, authentication for Terminus has been done with a user’s email and password, which leaves a lot to be desired when implementing scripted automations that will run outside your laptop. Nobody wants their personal credentials in scripts that will be shared with other developers, and there aren’t great options for responding to leaked data other than changing your password.

Machine tokens solve both of these problems. By generating specific tokens for specific machines—e.g. one for your laptop, one for the CI service, etc.—you can manage access across a range of use cases. Tokens can also be individually revoked if a machine or service is retired, or if there is ever any concern about a script containing a token falling into the wrong hands.

As an added benefit, machine token authentication doesn’t require re-authorization for each new session. This saves time for every developer using the Pantheon CLI as they no longer have to type in their password at the beginning of every workday.

Tokens are available in your user dashboard today, and require the most recent version of Terminus (v0.11.0) to use. In time they will become the only way to authenticate for Terminus access, as they are simply a better way to handle authentication for scripted uses.

We recommend every developer using the CLI tools take a look and try out token based authentication at their earliest convenience. We’re eager to hear your feedback on this new feature, so don’t hesitate to reach out if you have questions, concerns, or suggestions.

Topics Security

Let’s get in touch