--- layout: commands page_title: 'Commands: Login' description: > The `login` command will exchange the provided third party credentials with the requested auth method for a newly minted Consul ACL token. --- # Consul Login Command: `consul login` Corresponding HTTP API Endpoint: [\[POST\] /v1/acl/login](https://www.consul.io/api-docs/acl#login-to-auth-method) The `login` command will exchange the provided third party credentials with the requested auth method for a newly minted Consul ACL token. The companion command `consul logout` should be used to destroy any tokens created this way to avoid a resource leak. ## Usage Usage: `consul login [options]` #### API Options @include 'http_api_options_client.mdx' #### Command Options - `-bearer-token-file=` - Path to a file containing a secret bearer token to use with this auth method. - `-meta=` - Metadata to set on the token, formatted as `key=value`. This flag may be specified multiple times to set multiple meta fields. - `-method=` - Name of the auth method to login to. - `-token-sink-file=` - The most recent token's SecretID is kept up to date in this file. - `-type=` - Type of the auth method to login to. This field is optional and defaults to no type. Required for `type=oidc` auth method login. Added in Consul 1.8.0. #### Enterprise Options @include 'http_api_namespace_options.mdx' - `-oidc-callback-listen-addr=` - The address to bind a webserver on to handle the browser callback from the OIDC workflow. Added in Consul 1.8.0. ### Examples Login to an auth method. ```shell-session $ consul login -method 'minikube' \ -bearer-token-file '/run/secrets/kubernetes.io/serviceaccount/token' \ -token-sink-file 'consul.token' $ cat consul.token 36103ae4-6731-e719-f53a-d35188cfa41d ```