Authenticating to services
Ping CLI supports two authentication approaches: interactive user sign-on for workstation use, and service authentication for automated environments. The right choice depends on whether a human is present during the CLI session.
| Approach | Grant types | Typical context | Browser required | MFA applies |
|---|---|---|---|---|
Interactive user sign-on |
Authorization code, Device code |
Developer workstation, ad-hoc admin tasks |
Auth code: yes |
Yes |
Service authentication |
Client credentials |
CI/CD pipelines, automation, service accounts |
No |
No |
Interactive user sign-on
Interactive sign-on authenticates a human user against configured services using OAuth 2.0. Two grant types are available: authorization code for environments with a browser, and device code for remote or headless terminals. When a session ends, reauthentication is required at the next login.
|
PingOne requires all administrator accounts to complete multi-factor authentication (MFA) during interactive sign-on. This policy is enforced by PingOne and cannot be disabled. Administrators using an external identity provider (IdP) for primary authentication satisfy this requirement through that provider’s MFA instead. |
Service authentication
Service authentication uses the OAuth 2.0 client credentials flow to authenticate as an application rather than a user. No browser or human interaction is required. This is the recommended approach for CI/CD pipelines, scheduled jobs, and any context where a human operator is not present.