- OAuth access token: the default for interactive use.
ironbee loginmints a personal token tied to your user and account. Each token is individually named and revocable. - API key: an account-scoped key for machine-to-machine (M2M) use, such as the GitHub Action or any CI pipeline where no browser is available.
OAuth tokens (default)
Runningironbee login opens your browser, asks you to authorize the CLI, and writes a personal access token to ~/.ironbee/config.json under collector.oauthToken. From then on the CLI authenticates as you.
Ctrl+C to cancel. By default the token is named after your machine’s hostname so you can recognize it later in the Console and pass --name to set your own label:
Token limit
You can hold at most 10 OAuth access tokens per account at a time. This count includes expired tokens that you have not yet removed. If you are already at the limit,ironbee login cannot mint a new one and prints:
ironbee login again.
API keys (CI and automation)
For automation that runs without a browser; the GitHub Action, scheduled jobs, scripts, use an account API key instead. Supply it through theIRONBEE_API_KEY environment variable so it never lands in a committed file:
collector.apiKey. You can also set it on disk with ironbee config set collector.apiKey <key> --global, but the environment variable is preferred for CI because it overrides every config layer.
Find and manage the account API key on the Account page in the Console. Owners and admins can view, copy, and rotate it.
Rotation and the grace window
Rotating the API key on the Account page generates a fresh key and keeps the previous key valid for 24 hours for a grace window so your CI and integrations keep working while you roll the new key out. Only one grace key exists at a time:- Rotating again while a grace key is still active permanently disables the earlier grace key (the Console asks you to confirm first).
- Use Deactivate now on the Account page to end the grace window immediately.
Which credential the CLI uses
If both are present, the OAuth token takes priority on the wire. In practice:| Situation | Credential | How to set it |
|---|---|---|
| You, working locally | OAuth token | ironbee login |
| GitHub Action / CI | API key | IRONBEE_API_KEY secret |
| Scripted or headless machine | API key | IRONBEE_API_KEY or collector.apiKey |
IRONBEE_OAUTH_TOKEN and IRONBEE_API_KEY override whatever is on disk, so a CI runner can supply a credential without touching ~/.ironbee/config.json. See Environment variables for precedence details.
What’s next?
API Tokens in the Console
Create, name, and revoke your personal OAuth access tokens.
Account API key
View and rotate the shared account key used for CI.