Authentication overview

Netlify provides authentication mechanisms for both user access to its platform UI and programmatic interaction with its API. User authentication primarily relies on OAuth-based integrations with Git providers or traditional email/password credentials to manage sites, deployments, and team settings. For automated workflows, command-line interfaces (CLIs), and custom integrations, Netlify utilizes Personal Access Tokens (PATs) to secure API requests. This dual approach ensures that human users can easily manage their projects while automated systems can perform necessary operations with granular permissions.

The Netlify API follows a RESTful architecture, allowing developers to manage sites, deploys, DNS records, and more programmatically. All API endpoints require authentication, typically through a Bearer token in the Authorization header when using PATs. Understanding the different authentication flows is crucial for integrating Netlify into continuous deployment pipelines, custom dashboards, or serverless functions that interact with the platform's services.

Supported authentication methods

Netlify supports several authentication methods, each designed for specific interaction types and security requirements. The choice of method depends on whether you are accessing the Netlify UI, using the Netlify CLI, or making direct API calls from an application or script.

User Interface and CLI Authentication

  • Git Provider OAuth: This is the primary method for signing up and logging into the Netlify UI. Netlify integrates with popular Git hosting services, allowing users to authenticate via their existing GitHub, GitLab, or Bitbucket accounts. This method streamlines the setup of continuous deployment by linking directly to repositories. Netlify also supports Azure DevOps as a Git provider for repository linking, though initial login via Azure DevOps OAuth is not directly supported for account creation.
  • Email/Password: Users can also create a Netlify account and log in using an email address and password. This method is available for those who prefer not to link a Git provider account for UI access or if their Git provider is not directly supported for initial login.
  • Netlify CLI Login: The Netlify Command Line Interface typically authenticates users by opening a web browser to complete an OAuth flow with Netlify, which then generates an authentication token stored locally for CLI operations. This process is initiated by running netlify login in the terminal.

API Authentication

  • Personal Access Tokens (PATs): PATs are long-lived tokens generated from the Netlify UI. They are used to authenticate direct API calls and are essential for automated scripts, CI/CD pipelines, and serverless functions interacting with the Netlify API. PATs grant access to resources based on the permissions assigned to the user who generated them. It is recommended to create PATs with the minimum necessary scopes and to revoke them when no longer needed to minimize security risks. The Netlify API documentation details the available scopes and their corresponding permissions for PATs.
  • OAuth Applications: For third-party applications or services that need to interact with Netlify on behalf of multiple users, Netlify supports OAuth 2.0. This allows users to grant specific permissions to an application without sharing their credentials directly. Developers can register OAuth applications within their Netlify team settings, defining redirect URLs and scopes. This method is suitable for building integrations that require user consent, similar to how many developer tools integrate with other services, as described by the OAuth 2.0 specification.

Authentication Methods Summary

The following table summarizes the primary authentication methods available for Netlify:

Method When to Use Security Level / Best Practice
Git Provider OAuth (e.g., GitHub) Logging into Netlify UI, linking repositories, initial CLI setup. High. Leverages external identity providers. Enable MFA on Git provider.
Email/Password Logging into Netlify UI if not using a Git provider. Moderate. Requires strong, unique passwords and MFA on Netlify.
Personal Access Tokens (PATs) Programmatic API access, CI/CD pipelines, Netlify CLI after initial login. High. Treat as sensitive credentials. Use specific scopes, revoke unused tokens.
OAuth Applications Third-party integrations requiring delegated access from multiple users. High. Requires secure client ID/secret management and proper scope handling.

Getting your credentials

The process for obtaining credentials varies depending on the authentication method you intend to use.

For UI and Git Provider Authentication

To access the Netlify UI, you typically sign up or log in via a supported Git provider (GitHub, GitLab, Bitbucket) or with an email and password. Your Git provider credentials serve as your authentication for Netlify in this scenario. If using email/password, these are set during account creation.

For Personal Access Tokens (PATs)

PATs are generated directly within the Netlify web interface:

  1. Log in to the Netlify app.
  2. Navigate to your user settings by clicking your avatar in the top right corner, then selecting "User settings".
  3. In the left sidebar, click on "Applications".
  4. Scroll down to the "Personal access tokens" section.
  5. Click "New access token".
  6. Provide a descriptive name for your token (e.g., "CI/CD Pipeline Access", "Local Development").
  7. (Optional, but recommended) Select specific scopes for the token to limit its permissions. For example, if your token only needs to deploy sites, grant it the deploy_hooks scope and potentially sites:write if it needs to create new sites.
  8. Click "Generate token".
  9. Copy the generated token immediately. It will only be shown once. Treat it like a password and store it securely.

For detailed instructions, refer to the Netlify API documentation on access tokens.

For OAuth Applications

To set up an OAuth application for third-party integrations:

  1. Log in to the Netlify app.
  2. Navigate to "Team settings" for the team where you want to register the application.
  3. In the left sidebar, click on "OAuth apps".
  4. Click "Register new OAuth app".
  5. Fill in the required details, including the application name, homepage URL, description, and critical Redirect URLs.
  6. Define the scopes your application will request from users.
  7. Upon registration, you will receive a Client ID and Client Secret. These credentials are used in the OAuth 2.0 flow to obtain access tokens on behalf of users.

Authenticated request example

When using a Personal Access Token (PAT) to interact with the Netlify API, you include the token in the Authorization header of your HTTP requests. The token should be prefixed with Bearer. Here's an example of fetching a list of your Netlify sites using curl, assuming you have a PAT:

curl -X GET \
  -H "Authorization: Bearer YOUR_NETLIFY_PAT" \
  "https://api.netlify.com/api/v1/sites"

Replace YOUR_NETLIFY_PAT with your actual Personal Access Token. This request would return a JSON array of your Netlify sites, each with its properties such as ID, name, and URL. More detailed API endpoint information, including request and response formats, can be found in the Netlify API reference documentation.

Security best practices

Adhering to security best practices when authenticating with Netlify is crucial to protect your projects and data. These practices apply to both user accounts and programmatic access via API tokens.

  • Enable Multi-Factor Authentication (MFA): For your Netlify account, always enable MFA. This adds an extra layer of security, requiring a second verification step beyond your password or Git provider login. Netlify supports MFA through authenticator apps.
  • Use Strong, Unique Passwords: If you use email/password for your Netlify account, ensure your password is strong, unique, and not reused across other services.
  • Limit Personal Access Token (PAT) Scopes: When generating PATs, grant only the minimum necessary permissions (scopes) required for the task. For instance, a token used solely for deploying a specific site should not have global administrative permissions. This limits the potential damage if the token is compromised.
  • Rotate PATs Regularly: Periodically generate new PATs and revoke old ones. This practice reduces the window of opportunity for a compromised token to be exploited.
  • Store PATs Securely: Never hardcode PATs directly into your source code. Instead, use environment variables, secret management services, or secure configuration files. For CI/CD pipelines, utilize the secret management features provided by your CI/CD platform (e.g., GitHub Actions secrets, GitLab CI/CD variables). The AWS Secrets Manager documentation provides general guidance on secure secret storage.
  • Revoke Unused Tokens: Actively revoke any PATs that are no longer in use, or for users who have left your team. This can be done through the Netlify UI in your user settings under "Applications."
  • Monitor Audit Logs: Regularly review Netlify's audit logs (available on Pro and Business plans) to detect any unusual or unauthorized activity related to your account or team.
  • Educate Your Team: Ensure all team members understand and follow these security best practices for managing their Netlify accounts and any PATs they generate.
  • Keep Dependencies Updated: If you are using libraries or tools that interact with Netlify, ensure they are kept up-to-date to benefit from the latest security patches.