Authenticate credentials - Administrator Guide - Cortex CLOUD

Cortex Cloud Posture Management Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Posture Management
Creation date
2025-01-22
Last date published
2026-06-04
Category
Administrator Guide

After installation, you must configure your credentials. The installer does not save them for you. You can authenticate the Cortex CLI using one of these methods: command-line flags, configuration file or environment variables.

Method 1: Configuration file

(Recommended for local use). For persistent local authentication without typing credentials every time, use a configuration file. The CLI natively reads this file when executing commands, so you do not need to manually source or load it into your shell environment.

File location: The CLI looks for a file named cortex.env in your home directory or the current working directory.

Format: KEY=VALUE pairs.

  • MacOS / Linux setup

    Create an environment configuration file: Instead of using flags, create an environment configuration file named cortex.env. Save this file in your home or working directory and add your credentials as variables.

    cat > ~/cortex.env << EOF
CORTEX_API_BASE_URL=https://api-<TENANT>.xdr.us.paloaltonetworks.com
CORTEX_API_KEY=<YOUR_API_KEY>
CORTEX_API_KEY_ID=<YOUR_KEY_ID>
EOF
chmod 600 ~/cortex.env

  • Windows setup

    $configPath = "$env:USERPROFILE\cortex.env"
@"
CORTEX_API_BASE_URL=https://api-<TENANT>.xdr.us.paloaltonetworks.com
CORTEX_API_KEY=<YOUR_API_KEY>
CORTEX_API_KEY_ID=<YOUR_KEY_ID>
"@ | Out-File -FilePath $configPath -Encoding UTF8

Method 2: Environment variables

(Recommended for CI/CD): Best practice for automation (Jenkins, GitHub Actions, GitLab) to avoid committing secrets to code.

Variable name

Description

CORTEX_API_BASE_URL

Your tenant URL (such as https://api-example.xdr.us.paloaltonetworks.com)

CORTEX_API_KEY

The secret key token

CORTEX_API_KEY_ID

The ID associated with the key

Example 114. Example exports

Linux / macOS (Bash/Zsh):

export CORTEX_API_BASE_URL="https://api-tenant.xdr.us.paloaltonetworks.com"
export CORTEX_API_KEY="secret-key-123"
export CORTEX_API_KEY_ID="1"

Windows (PowerShell):

$env:CORTEX_API_BASE_URL="https://api-tenant.xdr.us.paloaltonetworks.com"
$env:CORTEX_API_KEY="secret-key-123"
$env:CORTEX_API_KEY_ID="1"

Method 3: Command-line flags (overriding)

Use for one-off scans or testing different keys. These flags must appear in the [global flags] position (before the module name).

Syntax:

cortexcli --api-base-url <URL> --api-key <KEY> --api-key-id <ID> code scan ...