You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: remove "enhanced security" framing for JWT auth
JWT Bearer is an alternative to client secrets, not an inherently
stronger security measure. Reword to present it as an alternative
without claiming enhanced/stronger security.
Copy file name to clipboardExpand all lines: docs/guide/authentication.md
+4-9Lines changed: 4 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,7 +50,7 @@ The CLI supports five authentication methods:
50
50
51
51
**Client Credentials** uses the API client's secret for non-interactive authentication. This is ideal for CI/CD pipelines and automation.
52
52
53
-
**JWT Bearer** uses a public/private certificate pair for secure authentication without storing client secrets. This is ideal for production environments and CI/CD where you want stronger security. See [JWT Authentication](#jwt-authentication-certificate-based) for details.
53
+
**JWT Bearer** uses a public/private certificate pair for authentication without storing client secrets. See [JWT Authentication](#jwt-authentication-certificate-based) for details.
54
54
55
55
**Stateful User Auth** uses `b2c auth login` to open a browser for interactive login once, then stores the session on disk. Subsequent commands automatically use the stored token when it is present and valid, without re-opening the browser. Clear the session with `b2c auth logout`. See [Auth Commands](/cli/auth#b2c-auth-login) for details.
56
56
@@ -80,10 +80,6 @@ For Account Manager operations that require user-level roles (organization and A
80
80
-`client_secret_basic` for client credentials flow
81
81
-`private_key_jwt` for JWT Bearer authentication (certificate-based)
82
82
83
-
::: tip Certificate-Based Authentication
84
-
For enhanced security, use JWT Bearer authentication instead of client secrets. This requires uploading a certificate to the API client and using the `--jwt-cert` and `--jwt-key` flags. See [JWT Authentication](#jwt-authentication-certificate-based) for setup instructions.
85
-
:::
86
-
87
83
::: info
88
84
For client credentials with secrets, use `client_secret_basic` (the default). `client_secret_post` is not currently supported.
89
85
:::
@@ -166,7 +162,7 @@ If you're running the CLI behind a proxy where `localhost:8080` isn't reachable
166
162
167
163
## JWT Authentication (Certificate-Based)
168
164
169
-
JWT Bearer authentication (RFC 7523) provides a more secure alternative to client secrets by using public/private certificate pairs. This is ideal for production environments and CI/CD pipelines where you want to avoid storing sensitive secrets.
165
+
JWT Bearer authentication (RFC 7523) is an alternative to client secrets that uses public/private certificate pairs. This can be useful in environments where you want to avoid storing client secrets.
170
166
171
167
### How It Works
172
168
@@ -177,9 +173,8 @@ JWT Bearer authentication (RFC 7523) provides a more secure alternative to clien
177
173
178
174
### Benefits
179
175
180
-
-**More secure**: Private key never leaves your machine
181
-
-**No secrets to leak**: No client secret to store or compromise
182
-
-**Better for CI/CD**: Certificates can be rotated without updating secrets across pipelines
176
+
-**No client secret required**: Authenticate without storing a client secret
177
+
-**Rotation**: Certificates can be rotated without updating secrets across pipelines
0 commit comments