Permify · kitwongpixel · May 30, 2026
diff --git a/core/cli/configure.go b/core/cli/configure.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/Permify/permify-cli/core/client"
 	"github.com/Permify/permify-cli/core/config"
@@ -102,12 +103,37 @@ func runE(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
+	token, err := tui.StringPrompt("enter permify token", "", config.CliCredentials.Token)
+	if err != nil {
+		return err
+	}
+
+	certPath, err := tui.StringPrompt("enter cert path", "", config.CliCredentials.CertPath)
+	if err != nil {
+		return err
+	}
+
+	certKey, err := tui.StringPrompt("enter cert key", "", config.CliCredentials.CertKey)
+	if err != nil {
+		return err
+	}
+
+	config.CliConfig.PermifyURL = url
+	config.CliConfig.SslEnabled = strings.HasPrefix(url, "https")
+	config.CliCredentials.Endpoint = url
+	config.CliCredentials.Token = token
+	config.CliCredentials.CertPath = certPath
+	config.CliCredentials.CertKey = certKey
+
 	resp, err := client.New(url)
+	if err != nil {
+		return err
+	}
 
 	// Todo: Implement pagination
 	tenants, err := resp.Tenancy.List(context.Background(), &v1.TenantListRequest{})
 	if err != nil {
-		logger.Log.Fatal(err)
+		return err
 	}
 
 	tenantNames := []string{}
@@ -117,16 +143,19 @@ func runE(cmd *cobra.Command, _ []string) error {
 		tenantNames = append(tenantNames, nameID)
 		tenantIds[nameID] = tenant.Id
 	}
-	
+
 	tenant, err := tui.Choice("Select a tenant: ", tenantNames)
 	if err != nil {
-		logger.Log.Error(err)
+		return err
 	}
-	config.CliConfig.PermifyURL = url
 	config.CliConfig.Tenant = tenantIds[tenant]
 	err = config.Write()
 	if err != nil {
-		logger.Log.Error(err)
+		return err
+	}
+	err = config.WriteCredentials()
+	if err != nil {
+		return err
 	}
 	logger.Log.Info("successfully configured ", "config file", configFile)
 	return nil

diff --git a/core/client/grpc.go b/core/client/grpc.go
@@ -2,19 +2,115 @@
 package client
 
 import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/Permify/permify-cli/core/config"
 	permify "github.com/Permify/permify-go/v1"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )
 
-// New initializes a new permify client
+// New initializes a new permify client.
 func New(endpoint string) (*permify.Client, error) {
+	connectionEndpoint := endpoint
+	if config.CliCredentials.Endpoint != "" {
+		connectionEndpoint = config.CliCredentials.Endpoint
+	}
+	secureTransport := config.CliConfig.SslEnabled ||
+		strings.HasPrefix(config.CliCredentials.Endpoint, "https://") ||
+		strings.HasPrefix(connectionEndpoint, "https://") ||
+		strings.TrimSpace(config.CliCredentials.CertPath) != "" ||
+		strings.TrimSpace(config.CliCredentials.CertKey) != ""
+	connectionEndpoint = sanitizeEndpoint(connectionEndpoint)
+	if connectionEndpoint == "" {
+		return nil, errors.New("permify endpoint is empty")
+	}
+
+	transportCredentials, err := transportCredentials(secureTransport)
+	if err != nil {
+		return nil, err
+	}
+
+	dialOptions := []grpc.DialOption{
+		grpc.WithTransportCredentials(transportCredentials),
+	}
+
+	token := strings.TrimSpace(config.CliCredentials.Token)
+	if token != "" {
+		dialOptions = append(dialOptions, grpc.WithPerRPCCredentials(tokenCredentials(token, secureTransport)))
+	}
+
 	client, err := permify.NewClient(
 		permify.Config{
-			Endpoint: endpoint,
+			Endpoint: connectionEndpoint,
 		},
-		// Todo: Implement secure call with tls certificate
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		dialOptions...,
 	)
 	return client, err
 }
+
+func sanitizeEndpoint(endpoint string) string {
+	endpoint = strings.TrimSpace(endpoint)
+	if endpoint == "" {
+		return ""
+	}
+
+	if !strings.Contains(endpoint, "://") {
+		return endpoint
+	}
+	parsed, err := url.Parse(endpoint)
+	if err != nil || parsed.Scheme == "" {
+		return endpoint
+	}
+	if parsed.Host != "" {
+		return parsed.Host
+	}
+	if parsed.Path != "" {
+		return strings.TrimLeft(parsed.Path, "/")
+	}
+	return strings.TrimPrefix(endpoint, parsed.Scheme+"://")
+}
+
+func transportCredentials(secureTransport bool) (credentials.TransportCredentials, error) {
+	if secureTransport {
+		certPath := strings.TrimSpace(config.CliCredentials.CertPath)
+		certKey := strings.TrimSpace(config.CliCredentials.CertKey)
+		if certPath == "" && certKey == "" {
+			return credentials.NewTLS(&tls.Config{}), nil
+		}
+		if certPath == "" || certKey == "" {
+			return nil, fmt.Errorf("both cert path and cert key must be provided")
+		}
+		if _, err := os.Stat(certPath); err != nil {
+			return nil, fmt.Errorf("failed to read cert path: %w", err)
+		}
+		if _, err := os.Stat(certKey); err != nil {
+			return nil, fmt.Errorf("failed to read cert key: %w", err)
+		}
+		cert, err := tls.LoadX509KeyPair(certPath, certKey)
+		if err != nil {
+			return nil, err
+		}
+		return credentials.NewTLS(&tls.Config{
+			Certificates: []tls.Certificate{cert},
+		}), nil
+	}
+
+	return insecure.NewCredentials(), nil
+}
+
+func tokenCredentials(token string, secureTransport bool) credentials.PerRPCCredentials {
+	metadata := map[string]string{
+		"authorization": "Bearer " + strings.TrimSpace(token),
+	}
+	if secureTransport {
+		return secureTokenCredentials(metadata)
+	}
+	return nonSecureTokenCredentials(metadata)
+}
diff --git a/core/client/grpc_test.go b/core/client/grpc_test.go
@@ -0,0 +1,139 @@
+package client
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/Permify/permify-cli/core/config"
+)
+
+func TestTokenCredentials(t *testing.T) {
+	secureCreds := tokenCredentials("secret", true)
+	if !secureCreds.RequireTransportSecurity() {
+		t.Fatalf("expected secure credentials to require transport security")
+	}
+	secureMetadata, err := secureCreds.GetRequestMetadata(context.Background())
+	if err != nil {
+		t.Fatalf("GetRequestMetadata() error = %v", err)
+	}
+	if got := secureMetadata["authorization"]; got != "Bearer secret" {
+		t.Fatalf("unexpected secure metadata authorization: got %q", got)
+	}
+
+	insecureCreds := tokenCredentials("secret", false)
+	if insecureCreds.RequireTransportSecurity() {
+		t.Fatalf("expected insecure credentials to not require transport security")
+	}
+	insecureMetadata, err := insecureCreds.GetRequestMetadata(context.Background())
+	if err != nil {
+		t.Fatalf("GetRequestMetadata() error = %v", err)
+	}
+	if got := insecureMetadata["authorization"]; got != "Bearer secret" {
+		t.Fatalf("unexpected insecure metadata authorization: got %q", got)
+	}
+}
+
+func TestTransportCredentials(t *testing.T) {
+	originalCredentials := config.CliCredentials
+	originalConfig := config.CliConfig
+	t.Cleanup(func() {
+		config.CliCredentials = originalCredentials
+		config.CliConfig = originalConfig
+	})
+
+	t.Run("insecure", func(t *testing.T) {
+		config.CliConfig.SslEnabled = false
+		creds, err := transportCredentials(false)
+		if err != nil {
+			t.Fatalf("transportCredentials(false) error = %v", err)
+		}
+		if creds == nil {
+			t.Fatalf("expected credentials, got nil")
+		}
+	})
+
+	t.Run("tls pair", func(t *testing.T) {
+		certPath, certKey := generateTestCertificatePair(t)
+		config.CliConfig.SslEnabled = true
+		config.CliCredentials.CertPath = certPath
+		config.CliCredentials.CertKey = certKey
+
+		creds, err := transportCredentials(true)
+		if err != nil {
+			t.Fatalf("transportCredentials(true) error = %v", err)
+		}
+		if creds == nil {
+			t.Fatalf("expected credentials, got nil")
+		}
+	})
+
+	t.Run("missing cert key", func(t *testing.T) {
+		config.CliConfig.SslEnabled = true
+		config.CliCredentials.CertPath = "/tmp/client.pem"
+		config.CliCredentials.CertKey = ""
+
+		_, err := transportCredentials(true)
+		if err == nil {
+			t.Fatalf("expected error for missing cert key")
+		}
+	})
+}
+
+func generateTestCertificatePair(t *testing.T) (string, string) {
+	t.Helper()
+
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("GenerateKey() error = %v", err)
+	}
+
+	template := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: "permify-cli-test",
+		},
+		NotBefore:             time.Now().Add(-time.Hour),
+		NotAfter:              time.Now().Add(time.Hour),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
+	if err != nil {
+		t.Fatalf("CreateCertificate() error = %v", err)
+	}
+
+	tempDir := t.TempDir()
+	certPath := filepath.Join(tempDir, "client.crt")
+	certKey := filepath.Join(tempDir, "client.key")
+
+	certFile, err := os.Create(certPath)
+	if err != nil {
+		t.Fatalf("os.Create(cert) error = %v", err)
+	}
+	defer certFile.Close()
+	if err := pem.Encode(certFile, &pem.Block{Type: "CERTIFICATE", Bytes: certDER}); err != nil {
+		t.Fatalf("pem.Encode(cert) error = %v", err)
+	}
+
+	keyFile, err := os.Create(certKey)
+	if err != nil {
+		t.Fatalf("os.Create(key) error = %v", err)
+	}
+	defer keyFile.Close()
+	if err := pem.Encode(keyFile, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
+		t.Fatalf("pem.Encode(key) error = %v", err)
+	}
+
+	return certPath, certKey
+}