glab auth login: Authenticate the GitLab CLI in CI
glab auth login authenticates the GitLab CLI; in CI you feed it a token on stdin instead of using the interactive prompt.
The GitLab CLI (glab) needs credentials before any mr/ci/release command works. In pipelines you authenticate non-interactively with a project or personal access token.
What it does
glab auth login stores credentials for a GitLab host. Interactively it walks a prompt; non-interactively it reads a token from stdin with --stdin, or you skip login entirely by exporting GITLAB_TOKEN (and GITLAB_HOST for self-managed).
Common usage
# non-interactive, token on stdin
glab auth login --hostname gitlab.com --stdin <<< "$GLAB_PAT"
# self-managed instance
glab auth login --hostname gitlab.example.com --stdin <<< "$CI_JOB_TOKEN"
# or skip login: just export the token
export GITLAB_TOKEN="$GLAB_PAT"
glab auth statusOptions
| Flag | What it does |
|---|---|
| --hostname <host> | GitLab host to authenticate against (default gitlab.com) |
| --stdin | Read the token from standard input (non-interactive) |
| --token <token> | Provide the token directly (avoid; leaks in process list) |
| --api-protocol <p> | https or http for the API endpoint |
| --job-token | Treat the token as a CI job token (CI_JOB_TOKEN) |
In CI
Prefer exporting GITLAB_TOKEN over running auth login at all; glab reads it automatically and there is no config file to persist. For self-managed hosts also set GITLAB_HOST or pass --hostname on every command. CI_JOB_TOKEN works for many read and pipeline operations but cannot create merge requests, so use a project access token for mr commands.
Common errors in CI
"authentication required" or "401 Unauthorized" means no valid token: check GITLAB_TOKEN is set and not masked to empty. "Get \"https://gitlab.com/api/v4/...\": ... no such host" on a self-managed setup means GITLAB_HOST/--hostname is missing. "insufficient_scope" means the token lacks the api scope; a read_repository token cannot open MRs.