Configuring Authentication

Drift requires authentication to PactFlow. This is mandatory and separate from authenticating to the target system you're testing.

Authenticating with `drift auth login`

The recommended way to authenticate is with the drift auth command:

drift auth login

Drift prompts you for your PactFlow workspace URL and API token, then exchanges them for a session token cached locally for 7 days:

PactFlow URL: https://your-workspace.pactflow.io
PactFlow token:
Authenticated as Jane Smith <jane.smith@example.com>  (expires 2026-03-26 00:36:28 UTC)

Obtain your API token from Settings → API Tokens in your PactFlow workspace.

Authenticating with Environment Variables

Alternatively, set your credentials as environment variables before running drift auth. Drift reads these automatically to create the token:

export PACT_BROKER_BASE_URL="https://your-workspace.pactflow.io"
export PACT_BROKER_TOKEN="your-api-token"drift auth logout

This is the recommended approach for CI/CD pipelines where interactive login is not available.

Authenticating with `drift init`

If you are setting up a new project, drift init includes an interactive authentication step as part of its onboarding flow. See Interactive Onboarding with drift init for details.

Checking your session

drift auth status

Authenticated as Jane Smith <jane.smith@example.com>  (expires 2026-03-26 00:36:28 UTC)

Logging out

drift auth logout

Logged out from https://your-workspace.pactflow.io/

Token Types

Table 12. Token Types

Token type	Use case
Read-only (Development)	Local development and testing
System Account	CI/CD pipelines that publish contracts. Requires appropriate roles and permissions.

Target API Authentication

In addition to Drift authentication, you may need to authenticate to the system under test (the API you are verifying). Configure this in your test cases.

Global Configuration

Use the global block in your drift.yaml to apply authentication parameters to every request in your suite.

global:
  auth:
    apply: true # Automatically applies to all operations
    parameters:
      authentication:
        scheme: bearer
        token: ${functions:bearer_token} # Dynamic call to Lua function

Dynamic Token Generation

In your product.lua file, implement the logic to return a valid credential. Drift handles the Bearer prefix automatically when the scheme is set to bearer.

-- product.lua
local function bearer_token()
  -- Returns a UTC timestamp as a mock bearer token
  return os.date("!%Y-%m-%dT%H:%M:%SZ")
end

local exports = {
  exported_functions = {
    bearer_token = bearer_token
  }
}

return exports

Testing Unauthorized Access

To verify 401 Unauthorized responses, you must explicitly exclude the global auth block for specific operations:

operations:
  getAllProducts_Unauthorized:
    target: source-oas:getAllProducts
    exclude:
      - auth # Ignores the global auth configuration
    parameters:
      headers:
        authorization: "Bearer invalid-token"
    expected:
      response:
        statusCode: 401

In this section: