Managing API Keys
API keys authenticate your requests to the DeployHQ API. Each key belongs to a user and is used together with your email address, so every request is attributed to a real person on your account.
Finding and creating your API key
Your API keys live on the Security page under the Settings menu. A key is a 40 character string that you send with your email address using HTTP Basic Authentication (your email address is the username, the key is the password).
You can create more than one key and give each a description, such as "CI pipeline" or "Reporting dashboard", so it is easy to see where each one is used. Creating separate keys for separate tools means you can revoke one without disrupting the others.
For the full authentication details and request format, see The DeployHQ API.
Read-only API keys
When you create a key, you can mark it as read-only. A read-only key can view and list the resources in your account — projects, servers, deployments, activity, and so on — but it cannot make any changes. Specifically, a read-only key cannot:
- Start, retry, or roll back deployments
- Create, edit, or delete projects, servers, or configuration
- Download private keys or other credentials
If a read-only key is used for a request that would change something, that request is rejected.
Read-only keys are ideal for anything that only needs to read your data — reporting dashboards, monitoring, status pages, or third-party integrations that should never be able to modify your account. Issuing a read-only key is a simple way to give each integration only the access it actually needs.
Revoking a key
You can revoke any key from the same Security page. Once revoked, requests using that key stop working immediately, so revoke and replace a key straight away if you think it has been exposed. Treat your API keys like passwords and never commit them to a public repository.