A profile is a named set of service endpoints and authentication settings. Commands that talk to remote services — plan, apply, destroy, test — read the active profile to know where each service lives and how to authenticate.

Where profiles live

Profiles are stored in ~/.wxctl/config.json. You don’t edit it by hand — wxctl init writes it for you: 
wxctl init                            # configure all services interactively
wxctl init -f config.yaml             # only the services your config needs
wxctl init -f config.yaml -p staging  # write a named profile
wxctl init --template                 # write a template with placeholders (no prompts)
  • -f, --filename scopes the prompts to just the services a configuration references, instead of every supported service.
  • -p, --profile names the profile being written; omit it to write the default profile.
  • --template skips the interactive prompts and emits a profile with placeholder values — useful for piping or generating a starting point to fill in later.
To point at a config file somewhere other than ~/.wxctl/config.json, pass --profile-path <path>.

Choosing the active profile

When a command needs credentials, wxctl resolves the active profile in this order — the first match wins:
  1. The -p, --profile <name> flag
  2. The WXCTL_PROFILE environment variable
  3. The name stored in ~/.wxctl/active_profile
  4. default
wxctl apply -f config.yaml -p staging       # explicit flag wins
WXCTL_PROFILE=staging wxctl apply -f config.yaml   # via environment

Authentication types

Each service in a profile declares an auth_type that selects how wxctl obtains a token. The table below lists the type and the config fields it uses — fill the values in via wxctl init.
Typeauth_typeConfig fields
IBM Cloud API keyapikeyapikey
ZenApiKey (Software Hub)zenapikeyusername, apikey
Cloud Pak for Datacp4d / icp4dusername, password
HMAC (object storage)hmacaccess_key, secret_key
Basicbasicusername, password
Bearer tokenbearerapikey
None (local)none
SaaS services authenticate with apikey; Software (Cloud Pak for Data / Software Hub) services use cp4d or zenapikeyapikey is rejected on Software and zenapikey on SaaS. hmac covers object-storage (S3 / COS) services.
Credentials live only in ~/.wxctl/config.json and in the environment variables your YAML references with ${env:VAR}. Never commit credentials into a configuration file — keep them in your profile or the environment.

Next steps

Declarative model

Resources, references, and ${env:VAR} interpolation.

Pipeline

The stages every command runs.