Skip to main content
IronBee accepts two kinds of credentials, and the CLI picks the right one for you:
  • OAuth access token: the default for interactive use. ironbee login mints a personal token tied to your user and account. Each token is individually named and revocable.
  • API key: an account-scoped key for machine-to-machine (M2M) use, such as the GitHub Action or any CI pipeline where no browser is available.
Both are first-class and supported. The difference is who they identify: an OAuth token is you, an API key is the account.

OAuth tokens (default)

Running ironbee login opens your browser, asks you to authorize the CLI, and writes a personal access token to ~/.ironbee/config.json under collector.oauthToken. From then on the CLI authenticates as you.
ironbee login
The login flow waits up to five minutes for you to confirm in the browser; press Ctrl+C to cancel. By default the token is named after your machine’s hostname so you can recognize it later in the Console and pass --name to set your own label:
ironbee login --name "work-laptop"
Each token appears on the API Tokens page in the Console, where you can see when it was created, when it expires, and revoke it. CLI-minted tokens default to a 90-day lifetime.

Token limit

You can hold at most 10 OAuth access tokens per account at a time. This count includes expired tokens that you have not yet removed. If you are already at the limit, ironbee login cannot mint a new one and prints:
You already have the maximum of 10 access tokens, so a new one could not be issued for the CLI. Revoke one on the IronBee Console's API Tokens page, then run "ironbee login" again
To free a slot, open the API Tokens page, revoke a token you no longer use, then run ironbee login again.

API keys (CI and automation)

For automation that runs without a browser; the GitHub Action, scheduled jobs, scripts, use an account API key instead. Supply it through the IRONBEE_API_KEY environment variable so it never lands in a committed file:
export IRONBEE_API_KEY=<your-account-api-key>
The CLI reads it into collector.apiKey. You can also set it on disk with ironbee config set collector.apiKey <key> --global, but the environment variable is preferred for CI because it overrides every config layer. Find and manage the account API key on the Account page in the Console. Owners and admins can view, copy, and rotate it.

Rotation and the grace window

Rotating the API key on the Account page generates a fresh key and keeps the previous key valid for 24 hours for a grace window so your CI and integrations keep working while you roll the new key out. Only one grace key exists at a time:
  • Rotating again while a grace key is still active permanently disables the earlier grace key (the Console asks you to confirm first).
  • Use Deactivate now on the Account page to end the grace window immediately.

Which credential the CLI uses

If both are present, the OAuth token takes priority on the wire. In practice:
SituationCredentialHow to set it
You, working locallyOAuth tokenironbee login
GitHub Action / CIAPI keyIRONBEE_API_KEY secret
Scripted or headless machineAPI keyIRONBEE_API_KEY or collector.apiKey
Both IRONBEE_OAUTH_TOKEN and IRONBEE_API_KEY override whatever is on disk, so a CI runner can supply a credential without touching ~/.ironbee/config.json. See Environment variables for precedence details.

What’s next?

API Tokens in the Console

Create, name, and revoke your personal OAuth access tokens.

Account API key

View and rotate the shared account key used for CI.