---
title: Authenticating to services
description: "Ping CLI supports two authentication approaches: interactive user sign-on for workstation use, and service authentication for automated environments. The right choice depends on whether a human is present during the CLI session."
component: pingcli
version: 1.0
page_id: pingcli:using_pingcli:authenticating-to-services
canonical_url: https://developer.pingidentity.com/pingcli/1.0/using_pingcli/authenticating-to-services.html
revdate: June 9, 2026
section_ids:
  interactive-user-sign-on: Interactive user sign-on
  service-authentication: Service authentication
  learn-more: Learn more
---

# Authenticating to services

Ping CLI supports two authentication approaches: interactive user sign-on for workstation use, and service authentication for automated environments. The right choice depends on whether a human is present during the CLI session.

| ***Approach***           | ***Grant types***               | ***Typical context***                         | ***Browser required***         | ***MFA applies*** |
| ------------------------ | ------------------------------- | --------------------------------------------- | ------------------------------ | ----------------- |
| Interactive user sign-on | Authorization code, Device code | Developer workstation, ad-hoc admin tasks     | Auth code: yes Device code: no | Yes               |
| Service authentication   | Client credentials              | CI/CD pipelines, automation, service accounts | No                             | No                |

## Interactive user sign-on

Interactive sign-on authenticates a human user against configured services using OAuth 2.0. Two grant types are available: authorization code for environments with a browser, and device code for remote or headless terminals. When a session ends, reauthentication is required at the next login.

|   |                                                                                                                                                                                                                                                                                                                                    |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | PingOne requires all administrator accounts to complete multi-factor authentication (MFA) during interactive sign-on. This policy is enforced by PingOne and cannot be disabled. Administrators using an external identity provider (IdP) for primary authentication satisfy this requirement through that provider's MFA instead. |

[Interactive user sign-on](authenticating-interactive.html)

## Service authentication

Service authentication uses the OAuth 2.0 client credentials flow to authenticate as an application rather than a user. No browser or human interaction is required. This is the recommended approach for CI/CD pipelines, scheduled jobs, and any context where a human operator is not present.

[Service authentication](authenticating-service.html)

## Learn more

* [Connect Ping Identity services](connecting-ping-services.html)

* [Interactive user sign-on](authenticating-interactive.html)

* [Service authentication](authenticating-service.html)

* [Configuration settings reference](../settings_reference/configuration-settings-reference.html)