This feature is in public preview.
Authenticating
There are three ways to authenticate the Pinecone CLI: through a web browser with user login, using a service account, or with an API key. This table describes the Pinecone operations supported by each authentication method:Method | Admin API | Control plane |
---|---|---|
User login | ✅ | ✅ |
Service account | ✅ | ✅ |
API key | ❌ | ✅ |
-
Admin API–related commands (organization and project management, API key operations):
pc organization
(list
,describe
,update
,delete
)pc project
(create
,list
,describe
,update
,delete
)pc api-key
(create
,list
,describe
,update
,delete
)
-
Control plane–related commands (index management):
pc index
(create
,list
,describe
,configure
,delete
)
Commands for data plane operations will be added in a future release.
User login
User login requires you to authenticate through a web browser. Subsequent CLI requests use a locally stored auth token that expires after 30 minutes but refreshes automatically. After 24 hours, you must re-authenticate.pc auth login
, the CLI automatically targets:
- The default organization returned by the server for your user.
- The first project in the list of that organization’s projects.
To learn more about targeting organizations and projects, see CLI target context. To understand how the CLI prioritizes authentication methods, see Auth priority.
Service account
To authenticate with a service account, provide a client ID and secret associated with a service account.- If your organization has only one project, the CLI automatically targets that project.
-
If your organization has multiple projects, the CLI prompts you to select a project (or you can use the
--project-id
flag, as shown above). -
If your organization has no projects, create one. Then, set it as the target:
To learn more about targeting organizations and projects, see CLI target context. To understand how the CLI prioritizes authentication methods, see Auth priority.
API key
You can also use an API to authenticate the CLI with Pinecone. This is useful for automation or CI/CD scenarios where you can’t use interactive user login or a service account. Since each API key is associated with a specific project, the CLI uses that key’s project for all operations. A default (manually specified) API key overrides any target context you’ve set — you don’t need to runpc target
.
Because API keys are associated with a specific organization and project, they do not require target context. Also, to understand how the CLI prioritizes authentication methods, see Auth priority.
Auth priority
The CLI chooses which authentication method to use based on the type of operation.Control plane operations (indexes)
Control plane operations prioritize authentication credentials in the following order:- Default API key - Uses the project associated with the key.
- User login token - Creates and uses managed keys.
- Service account - Creates and uses managed keys.
Admin API operations (organizations, projects, API keys)
Admin API operations prioritize authentication credentials in the following order:- User login token
- Service account
Default API keys do not provide Admin API access.
Environment variables vs. stored configuration
Within each credential type, environment variables always override stored configuration:PINECONE_API_KEY
(env var) overrides default API key stored viapc auth configure --api-key
.PINECONE_CLIENT_ID
andPINECONE_CLIENT_SECRET
(env vars) override service account credentials stored viapc auth configure
.- User login tokens have no environment variable equivalent. They’re always stored locally.
- If
PINECONE_API_KEY
(env var) is set, the CLI uses it for control plane operations, regardless of any stored default API key value. - If you’re logged in via
pc auth login
and also havePINECONE_CLIENT_ID
andPINECONE_CLIENT_SECRET
set:- Control plane operations: User login token is used (creates managed keys).
- Admin API operations: User login token is used.
- The service account env vars are ignored.
- If you have a default API key stored via
pc auth configure --api-key
and are also logged in through the web browser:- Control plane operations: Default API key is used.
- Admin API operations: User login token is used.
Default API keys and target context
Default (manually specified) API keys override any target context. Control plane operations always use the project associated with the API key, regardless of what you’ve set with
pc target
.pc auth configure --api-key
or PINECONE_API_KEY
):
- The default API key is used for control plane operations.
- Managed keys are not created.
- If you also have user login or service account credentials, those are still used for Admin API operations.
pc auth configure --api-key
or PINECONE_API_KEY
) does not clear user login tokens or service account credentials.
User login and service accounts
User login and service accounts are mutually exclusive when configured via CLI commands:- Running
pc auth login
clears any stored service account credentials. - Running
pc auth configure --client-id --client-secret
clears the stored auth token frompc auth login
.
PINECONE_CLIENT_ID
and PINECONE_CLIENT_SECRET
) without running pc auth configure
, the CLI does not clear your stored user login token.
User login and service accounts both use managed keys for control plane operations (unless you’ve set a default API key).
Clearing credentials (logging out)
To clear your authentication credentials:- User login token
- Service account credentials (client ID and secret)
- Default (manually specified) API key
- Locally managed keys (for all projects)
- Target organization and project context
pc auth logout
does not delete managed API keys from Pinecone’s servers. Those keys remain active and can be used to access your projects. To fully clean up, run pc auth local-keys prune
before logging out. See Deleting API keys for details.Managed keys
When authenticated with user login or a service account, the CLI automatically creates and manages API keys for control plane operations. This happens transparently, the first time you run a control plane command likepc index list
. You don’t need to create or manage these keys yourself.
When managed keys are created
Managed keys are created only when you’re authenticated via user login or service account, and there’s no default (manually specified) API key set. After authenticating, the first time you run a control plane command likepc index list
:
- The CLI checks if a managed key already exists locally for the target project.
- If not found, the CLI creates a new API key via the Admin API.
- The key is stored both remotely (in Pinecone) and locally for future use.
If you set a default API key, managed keys are not created. The default API key is used instead.
Where managed keys are stored
Managed API keys are stored locally and remotely:- Local: Stored in
~/.config/pinecone/secrets.yaml
under theproject_api_keys
field as plain text, with file permissions set to 0600 (owner read/write only). For more details, see Local data storage. - Remote: Stored in Pinecone as regular API keys, visible in the web console.
The CLI will not display managed API keys after they’re created.
Identifying managed keys
In the Pinecone web console, CLI-created keys have:- Name:
pinecone-cli-{6-character-alphanumeric}
(for example,pinecone-cli-a3f9k2
) - Origin:
cli_created
secrets.yaml
file, including which projects they belong to.
Deleting API keys
There are a few ways to use the CLI to delete API keys (managed or not), locally and remotely. Delete locally tracked managed keys (local and remote): Thepc auth local-keys prune
command deletes managed keys that are tracked in your local secrets.yaml
file. It does not affect API keys that were created outside the CLI or aren’t tracked locally.
pc api-key create --store
for a project that already has a CLI-created managed key, the CLI automatically deletes the old remote key before storing the new one. This prevents accumulating multiple managed keys per project.
pc auth logout
deletes only the local references to managed keys. The keys remain active remotely in Pinecone. To fully clean up, run pc auth local-keys prune
before logging out.Local data storage
Authentication data is stored in~/.config/pinecone/
with restricted permissions (0600):
secrets.yaml
- Sensitive data:
oauth2_token
: Token associated with a user login (pc auth login
)client_id
,client_secret
: Service account credentialsapi_key
: Default (manually specified) API keyproject_api_keys
: Managed keys per project
state.yaml
- Context:
target_org
: Current organization (name and ID)target_project
: Current project (name and ID)
config.yaml
- Settings:
color
: Enable/disable colored outputenvironment
: Production or staging
Check authentication status
- Current authentication method
- Target organization and project
- Token expiration (for user login)
- Environment configuration