Configuring Authentication
Drift Authentication (PactFlow)
Drift authenticates with PactFlow to validate your licence and download provider configurations. This is separate from authenticating to the API you are testing.
Authenticating with drift auth login
The recommended way to authenticate is with the drift auth command:
drift auth login
Drift prompts you for your PactFlow workspace URL and API token, then exchanges them for a session token cached locally for 7 days:
PactFlow URL: https://your-workspace.pactflow.io
PactFlow token:
Authenticated as Jane Smith <jane.smith@example.com> (expires 2026-03-26 00:36:28 UTC)
Obtain your API token from Settings → API Tokens in your PactFlow workspace.
Authenticating with environment variables
Alternatively, set your credentials as environment variables before running drift auth. Drift reads these automatically to create the token:
export PACT_BROKER_BASE_URL="https://your-workspace.pactflow.io"
export PACT_BROKER_TOKEN="your-api-token"
This is the recommended approach for CI/CD pipelines where interactive login is not available.
Authenticating with drift init
If you are setting up a new project, drift init includes an interactive authentication step as part of its onboarding flow. See Interactive Onboarding with drift init for details.
Checking your session
drift auth status
Authenticated as Jane Smith <jane.smith@example.com> (expires 2026-03-26 00:36:28 UTC)
Logging out
drift auth logout
Logged out from https://your-workspace.pactflow.io/
Token types
| Token type | Use case |
|---|---|
| Read-only (Development) | Local development and testing |
| System Account | CI/CD pipelines that publish contracts. Requires appropriate roles and permissions. |
Target API Authentication
In addition to Drift authentication, you may need to authenticate to the system under test (the API you are verifying). Configure this in your test cases.
Global configuration
Use the global block in your drift.yaml to apply authentication parameters to every request in your suite.
global:
auth:
apply: true # Automatically applies to all operations
parameters:
authentication:
scheme: bearer
token: ${functions:bearer_token} # Dynamic call to Lua function
Dynamic token generation
In your product.lua file, implement the logic to return a valid credential. Drift handles the Bearer prefix automatically when the scheme is set to bearer.
-- product.lua
local function bearer_token()
-- Returns a UTC timestamp as a mock bearer token
return os.date("!%Y-%m-%dT%H:%M:%SZ")
end
local exports = {
exported_functions = {
bearer_token = bearer_token
}
}
return exports
Testing unauthorized access
To verify 401 Unauthorized responses, explicitly exclude the global auth block for specific operations:
operations:
getAllProducts_Unauthorized:
target: source-oas:getAllProducts
exclude:
- auth # Ignores the global auth configuration
parameters:
headers:
authorization: "Bearer invalid-token"
expected:
response:
statusCode: 401