# p0 login

### **Overview** <a href="#overview" id="overview"></a>

The p0 login command bootstraps your local CLI with the credentials and configuration for your P0 organization. Once you've logged in, the CLI can:

* Save your org's configuration locally (endpoints, OAuth client IDs, etc.)
* Launch a browser SSO flow for your org's identity provider (Google, Okta, Ping, Microsoft OIDC, etc.)
* Let you start running p0 request, p0 aws, p0 ssh, and other commands without re-authenticating on each call
* If your saved token expires, the CLI will automatically re-launch the login flow and update the identity file before retrying any command.

***

### **Basic Login** <a href="#basic-login" id="basic-login"></a>

#### **1. Run the login command** <a href="#id-1-run-the-login-command" id="id-1-run-the-login-command"></a>

```plaintext
p0 login <ORG_ID>
```

Replace \<ORG\_ID> with your P0 organization's ID. This will:

1. Fetch your org's information (to get OAuth client IDs & tenant ID).
2. Save that org's config to \~/.p0/config.json (or, if you've set P0\_ORG, to a temp-directory config).
3. Launch your browser to authenticate via your org's SSO provider.
4. Persist the resulting ID/token bundle to an identity file.
5. Print "You are now logged in, and can use the p0 CLI."

#### **2. (Optional) Use P0\_ORG env var** <a href="#id-2-optional-use-p0-org-env-var" id="id-2-optional-use-p0-org-env-var"></a>

The `P0_ORG` environment variable is primarily used when you need to be authenticated to multiple P0 organizations simultaneously — for example, to SSH into instances across different orgs in the same shell session:

```plaintext
P0_ORG=org-one p0 login
P0_ORG=org-two p0 login
```

For multi-organization SSH setup, see [Multi-organization SSH access](https://docs.p0.dev/integrations/resource-integrations/ssh#multi-organization-ssh-access).

{% hint style="info" %}
You can also export `P0_ORG` for single-org use so you don't need to type the org ID each time:

`export P0_ORG=acme-corp`\
`p0 login`
{% endhint %}

***

### **What Files Are Created** <a href="#what-files-are-created" id="what-files-are-created"></a>

|                                       | <p><strong>File</strong></p><p><strong>Purpose</strong></p> |
| ------------------------------------- | ----------------------------------------------------------- |
| *(or $TMP/p0/config.json-\<ORG\_ID>)* | When P0\_ORG is set, alternate location                     |
| \~/.p0/identity.json                  | Your saved token + org slug + expiry time                   |
| *(or $TMP/p0/identity.json)*          | When P0\_ORG is set                                         |

Files are stored with restrictive permissions (600) so only you can read them.

***

### **Supported SSO Providers** <a href="#supported-sso-providers" id="supported-sso-providers"></a>

P0 CLI detects your org's SSO Provider and we pick the appropriate flow.

* **Google** / **Google-OIDC**
* **Okta**
* **Ping**
* **Microsoft** / **Azure-OIDC**

If your org uses a custom or unsupported provider, you see an "Unsupported login for your organization" error.

***

### **Troubleshooting** <a href="#troubleshooting" id="troubleshooting"></a>

* **"Couldn't find organization"**

  • Verify your org ID is correct and spelled exactly as given.
* **Browser didn't open / SSO popup blocked**

  • Be sure your $BROWSER env var is set or you have a default browser configured.

  • Check your popup-blocker settings.
* **"Please run p0 login \<organization> to use the P0 CLI."**

  Indicates no identity file was found. Simply re-run the login command.