p0cli: Login: How to login to your tenant

Last updated: April 29, 2025

Overview

The p0 login command bootstraps your local CLI with the credentials and configuration for your P0 organization. Once you’ve logged in, the CLI can:

  • Save your org’s configuration locally (Firestore endpoints, OAuth client IDs, etc.)

  • Launch a browser SSO flow for your org’s identity provider (Google, Okta, Ping, Microsoft OIDC, etc.)

  • Persist your access token and refresh token in a secure file

  • Validate your tenant access in Firestore

  • Let you start running p0 request, p0 aws, p0 ssh, and other commands without re-authenticating on each call

Prerequisites

  • Node.js 20+ installed

  • The P0 CLI globally installed via:

npm install -g @p0security/cli

  • Your organization’s P0 Org ID (a short string like acme-corp), which you’ve been given in your P0 account or docs.

Basic Login

1. Run the login command

p0 login <ORG_ID>

Replace <ORG_ID> with your P0 organization’s ID. This will:

  1. Fetch your org’s Firestore document (to get OAuth client IDs & tenant ID).

  2. Save that org’s config to ~/.p0/config.json (or, if you’ve set P0_ORG, to a temp-directory config).

  3. Initialize the Firebase SDK under the hood.

  4. Launch your browser to authenticate via your org’s SSO provider.

  5. Persist the resulting ID/token bundle to an identity file.

  6. Verify your Firestore tenant access.

  7. Print “You are now logged in, and can use the p0 CLI.”

2. (Optional) Use 

P0_ORG

 env var

If you’d rather not type your org ID each time, export it once:

export P0_ORG=acme-corp
p0 login          # “org” is picked up from the env var

When you set P0_ORG, both your config and your identity file will live in your system’s temp directory, isolating them per-env.

What Files Are Created

File

Purpose

~/.p0/config.json

Your org’s Firestore & OAuth config

(or $TMP/p0/config.json-<ORG_ID>)

When P0_ORG is set, alternate location

~/.p0/identity.json

Your saved token + org slug + expiry time

(or $TMP/p0/identity.json)

When P0_ORG is set

Files are stored with restrictive permissions (600) so only you can read them.

Supported SSO Providers

P0 CLI will detect your org’s ssoProvider field in Firestore and pick the right login flow:

  • Google / Google-OIDC

  • Okta

  • Ping

  • Microsoft / Azure-OIDC

  • OIDC-PKCE (via a mapped providerType)

If your org uses a custom or unsupported provider, you’ll see an “Unsupported login for your organization” error.

Advanced Options

  • Skip validation

    For scripting, you can bypass the final Firestore check by passing:

await login({ org: "acme-corp" }, { skipAuthenticate: true })

  • or, from shell, export:

P0_SKIP_AUTHENTICATE=true p0 login acme-corp

  • (Not typically needed for end-users.)

  • Automatic token refresh

    • If your saved token expires, the CLI will automatically re-launch the login flow and update the identity file before retrying any command.

Troubleshooting

  • “Could not find organization”

    • Verify your org ID is correct and spelled exactly as given.

    • If you’re pointing at a non-prod Firestore, ensure you have network access.

  • Browser didn’t open / SSO popup blocked

    • Be sure your $BROWSER env var is set or you have a default browser configured.

    • Check your popup-blocker settings.

  • “Please run p0 login <organization> to use the P0 CLI.”

    Indicates no identity file was found. Simply re-run the login command.

Logging Out / Switching Accounts

To remove your local credentials and start fresh:

p0 logout
# (or, manually)
rm ~/.p0/identity.json ~/.p0/config.json

Then invoke p0 login <ORG_ID> again.

Next Steps

Once you’re logged in:

p0 request --help   # see how to create access requests
p0 aws role ls      # list AWS roles you can assume
p0 ssh my-server    # request & open an SSH session

Enjoy seamless, just-in-time access to your cloud resources via your P0 CLI!