Skip to main content

Manage Deployment API keys (Deprecated)

Deprecation Notice: Deployment API Keys

Deployment API keys are deprecated in favor of Deployment API tokens.

You must convert existing API keys into Deployment API tokens by June 1, 2024, after which API keys will no longer work.

If you have any questions, contact Astronomer Support.

An API key is a unique key ID and secret pair that you can use as an alternative to manual user authentication for some Astro actions. You can also use API keys to automate common actions on Astro that require manual inputs.

You can use Deployment API keys to complete the following actions without authenticating as a user:

You can't use a Deployment API key to create Deployments or manage users within a Deployment's Workspace.

Use API keys

When using a Deployment API key, keep the following in mind:

  • A Deployment API key ID and secret are permanently valid.
  • Deployment API keys are deleted permanently if their corresponding Deployment is deleted.
  • A Deployment API key is not bound to the user who creates it. When a user who created the API key is removed from the Workspace, or their permissions change, the Deployment and CI/CD workflows that use the API key are not affected.
  • Any user or service with access to an API key and secret can access the corresponding Deployment. The only way to delete this access is to delete the API key or delete the Deployment.

Create an API key

  1. In the Astro UI, select a Workspace, click Deployments, and then select a Deployment.

  2. Click the API Keys tab.

  3. Click API Key:

    Add API key button

  4. Enter a name and an optional description for the API key and then click Create API Key:

    Create API key button

  5. Optional. Copy the API key ID and secret for use in API calls and CI/CD pipelines and then click I've saved the Key Secret. Make sure you save the key secret securely, as this is the only time you will have access to see it in plain text.


If you just need to make a single API call, you can use a temporary user authentication token instead of a Deployment API key ID and secret pair. To retrieve a temporary authentication token, go to and copy the token that appears. This token is valid only for 1 hour.

Use an API key with the Astro CLI

To use a Deployment API key with the Astro CLI, you must make your API key ID and secret accessible to the Astro CLI by setting the following OS-level environment variables:


For example, to update a Deployment using the Astro CLI on a Mac machine, set temporary OS-level environment variables with the following commands:

export ASTRONOMER_KEY_ID=<your-key-id>
export ASTRONOMER_KEY_SECRET=<your-key-secret>

After you set the variables, you can run astro deployment update for the Deployment and you don't have to manually authenticate to Astronomer. Astronomer recommends storing ASTRONOMER_KEY_SECRET as a secret before using it to programmatically update a Deployment.

Use an API key for CI/CD

If you deploy DAGs regularly to a production environment, Astronomer recommends using Deployment API keys to automate pushing code with a tool such as GitHub Actions or Circle CI.

For more information and examples, see Automate code deploys with CI/CD.

Delete an API key

If you delete an API key, make sure that no existing CI/CD pipelines are using it. Once deleted, an API key and secret cannot be recovered. If you unintentionally delete an API key, create a new one and update any CI/CD workflows that used the deleted API key.

  1. In the Astro UI, select a Workspace, click Deployments, and then select a Deployment.

  2. Click the API Keys tab.

  3. Click Edit next to your API key.

    Edit API key button

  4. Click Delete API Key, enter Delete, and then click Yes, Continue.

Was this page helpful?

Sign up for Developer Updates

Get a summary of new Astro features once a month.

You can unsubscribe at any time.
By proceeding you agree to our Privacy Policy, our Website Terms and to receive emails from Astronomer.