Authentication

All provenance commands require an API token to authenticate with the NetRise Provenance API. Obtain your token from the NetRise Provenance platform.

Setting your token

The CLI resolves configuration in priority order: CLI flag > environment variable > config file > default.

Environment variable
Config file
CLI flag

The recommended approach, especially for CI/CD pipelines:

export PROVENANCE_API_TOKEN=<your-token>

Once set, all provenance commands will use this token automatically.

Add your token to ~/.config/provenance/config.yaml:

~/.config/provenance/config.yaml

token: <your-token>

This is convenient for local development so you don’t need to export the variable in every shell session.

Pass the token directly on the command line (overrides all other sources):

provenance --token <your-token> query package 'pkg:deb/debian/curl@7.68.0-1'

Avoid this in CI/CD — the token will appear in shell history and process listings.

Verifying authentication

Use config test to verify your token and API connectivity:

provenance config test

This checks that the API is reachable and the token is valid, without making any data queries.

What happens without a token

If no token is configured, the CLI exits with an error:

No API token configured.

Set the PROVENANCE_API_TOKEN environment variable:
  export PROVENANCE_API_TOKEN=<your-token>

Or use the --token flag:
  provenance --token <your-token> query package ...

Or add it to the config file (~/.config/provenance/config.yaml):
  token: <your-token>

Legacy variable names

The older environment variables NETRISE_API_TOKEN and NETRISE_API_URL are still supported as fallbacks. If PROVENANCE_API_TOKEN is not set, the CLI checks NETRISE_API_TOKEN. Prefer the PROVENANCE_ prefix for new configurations.

API URL

The default API base URL is https://provenance.netrise.io/v1/provenance. Override it via:

export PROVENANCE_API_URL=https://custom.endpoint/v1/provenance

Or in the config file:

~/.config/provenance/config.yaml

api_url: https://custom.endpoint/v1/provenance

Security best practices

In GitHub Actions, store the token as a repository secret (PROVENANCE_API_TOKEN) and reference it as ${{ secrets.PROVENANCE_API_TOKEN }}. Never hardcode tokens in workflow files or commit them to version control.

Configuration file

Full reference for all config file options and environment variables.

GitHub Actions

How to use the provenance GitHub Action with secrets.

Get Started

Command Reference

Policy Engine

Configuration

CI/CD Integration

Setting your token

Verifying authentication

What happens without a token

Legacy variable names

API URL

Security best practices

Configuration file

GitHub Actions

Build docs developers (and LLMs) love

Get Started

Command Reference

Policy Engine

Configuration

CI/CD Integration

Documentation Index

​Setting your token

​Verifying authentication

​What happens without a token

​Legacy variable names

​API URL

​Security best practices

Configuration file

GitHub Actions

Build docs developers (and LLMs) love

Setting your token

Verifying authentication

What happens without a token

Legacy variable names

API URL

Security best practices