> ## Documentation Index
> Fetch the complete documentation index at: https://docs.suprsend.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Set up authentication for the SuprSend CLI using service tokens.

## Get Your Service Token

1. Log in to your [SuprSend dashboard](https://app.suprsend.com)
2. Go to **Account Settings → Service Tokens**
3. Create a new service token or copy an existing one

## Authentication Methods

The CLI resolves authentication using this priority order:

| Priority | Method               | When to Use                                                               | Duration      |
| -------- | -------------------- | ------------------------------------------------------------------------- | ------------- |
| 1        | Environment Variable | Running the CLI inside **CI/CD pipelines, Docker containers and servers** | Session-based |
| 2        | Command-Line Flag    | Best for **one-off commands, local testing, debugging**                   | One-time      |

### Environment Variable

**Best for development environments, CI/CD jobs, or scripts.**\
Define your token once per session, and all CLI commands in that script will use it automatically.

```bash theme={"system"}
export SUPRSEND_SERVICE_TOKEN="your_service_token_here"
```

### Command-Line Flag

**Best for running ad-hoc commands locally or for testing or debugging with different credentials.** <br />
Pass the token inline without modifying your environment. We don't recommend this method since flags can appear in shell history or process listings.

```bash theme={"system"}
suprsend workflow list --service-token "your_service_token_here"
```

<Info>
  **Self-hosted or BYOC deployment?** These two methods work for SuprSend Cloud (SaaS), where the CLI connects to default SuprSend endpoints. If you are running a self-hosted or BYOC deployment with custom API endpoints, you'll need to set up CLI profiles to tell the CLI where your servers are. See [Setting Up CLI Access](/docs/self-hosted/cli-profiles).

  Profiles are not related to workspaces. The `-w` flag (e.g., `-w production`) selects a workspace. Profiles configure which *server* the CLI connects to.
</Info>

***

## Security best practices

* **Do not commit tokens** in scripts, repositories, or configuration files.
* Prefer **environment variables** over command-line flags, since flags can appear in shell history or process listings.
* **Rotate service tokens regularly** and follow principle of least privilege and restrict permissions to the minimum required.

### Rotation Strategy

**1. Scheduled Rotation:** Implement a scheduled rotation of service tokens (e.g. every 6 months) to reduce the risk of long-term exposure.

**2. Ad-Hoc Rotation:** Rotate tokens immediately if you suspect that a token has been compromised or if it has been inadvertently exposed.