Build with AI

Using Ping CLI in Development Environments

PingOne DaVinci Authorize Credentials MFA Protect Verify PingFederate

This page covers Ping CLI-specific information for agentic development: how authentication is delegated from the agent to the CLI, and how to configure OAuth clients for development and headless harnesses.

For the broader concepts, when direct agent access is appropriate, which tools to choose, and how development differs from production, refer to Agentic development environments.

Authentication delegation

Ping CLI manages authentication to Ping Identity platform APIs. The agent invokes CLI commands; the CLI handles token acquisition, refresh, and the underlying API calls. The agent itself never holds credentials.

pingcli-dev-auth-flow

Human administrator present

When a human administrator is operating the agent harness, Ping CLI can authenticate using an authorization code grant or device authorization grant. The access token is issued on behalf of the administrator, so all API calls are audited against their identity in the Ping Identity platform audit logs.

The agent harness itself is not recorded in the audit log. The audit trail shows what was done and by whom (the administrator), but not that an agent was involved.

This applies to interactive development and prototyping contexts where the administrator takes responsibility for the agent’s actions and the risk of harm is negligible.

Fully automated harness (no human actor)

When the CLI runs in a fully automated harness with no human actor present, for example, in a sandboxed agent or an automated test pipeline, authentication uses a client credentials grant. The access token is attributed to the OAuth client, not a person.

Where possible, define a dedicated OAuth client for each agent, agent harness, or sandbox environment. Using a shared client makes it impossible to distinguish which agent or harness produced a given audit record. A per-agent client means audit logs can be reliably attributed to a specific agent or purpose, which is valuable for both debugging and governance.

A client should be scoped to the minimum permissions needed for the agent’s task. Prefer short token lifetimes and rotate client secrets regularly.

Full documentation

The complete Ping CLI reference; installation, service connections, configuration profiles, and the full command reference is at the Ping CLI documentation site.