API Keys
Automation Keys are designed for CI/CD pipelines. They are scoped to specific servers and operations, with optional IP restrictions and rate limiting.
Creating an Automation Key
Section titled “Creating an Automation Key”- Navigate to Automation Keys in the dashboard sidebar
- Click Create Automation Key
- Enter a name (e.g.,
github-prod-deploy) - Configure server scope: select specific servers or allow all
- Configure allowed operations:
exec,deploy,restart,reboot,registry_login,registry_logout - Configure allowed registry credentials (for
registry_login): select the registry credentials the key may pass toreoclo/docker-auth. Empty = all credentials in the tenant. - Optionally expand Advanced Settings:
- Expiration: 30 days, 90 days, 1 year, or Never
- IP Allowlist: restrict to specific IPs or CIDR ranges (e.g., GitHub runner IPs)
- Rate Limit: requests per minute (default: 100)
- Click Create
- Copy the key immediately — it is shown only once
Using Automation Keys
Section titled “Using Automation Keys”With GitHub Actions
Section titled “With GitHub Actions”Use reoclo/run and reoclo/checkout:
steps: - name: Checkout code on server uses: reoclo/checkout@v2 with: api_key: ${{ secrets.REOCLO_API_KEY }} server_id: ${{ secrets.REOCLO_SERVER_ID }} path: /srv/reoclo/myapp token: ${{ github.token }}
- name: Build and deploy uses: reoclo/run@v2 with: api_key: ${{ secrets.REOCLO_API_KEY }} server_id: ${{ secrets.REOCLO_SERVER_ID }} working_directory: /srv/reoclo/myapp command: | docker compose -f docker-compose.prod.yml build docker compose -f docker-compose.prod.yml up -d timeout: 600With curl
Section titled “With curl”curl -X POST https://api.reoclo.com/api/automation/v1/exec \ -H "Authorization: Bearer rca_your_key_here" \ -H "Content-Type: application/json" \ -d '{ "server_id": "your-server-id", "command": "cd /srv/reoclo/myapp && docker compose -f docker-compose.prod.yml up -d", "timeout_seconds": 300 }'With the Reoclo CLI in CI
Section titled “With the Reoclo CLI in CI”If a CI job needs the full CLI (not just reoclo/run / reoclo/checkout), set REOCLO_AUTOMATION_KEY in the environment:
- name: Deploy via reoclo CLI env: REOCLO_AUTOMATION_KEY: ${{ secrets.REOCLO_AUTOMATION_KEY }} run: | npx -y @reoclo/cli apps deploy my-app --ref ${{ github.sha }}The CLI honors REOCLO_AUTOMATION_KEY for unattended use without invoking OAuth.
Credentials reference
Section titled “Credentials reference”Every integration method below authenticates with the same Automation Key (rca_*) — only the variable name and how you point at a server or app differ. Use this table to pick the right secret and target for the method you are wiring up.
| Method | Key passed as | Secret / env var | Target identifier |
|---|---|---|---|
GitHub Action — reoclo/run, reoclo/checkout, reoclo/docker-auth | api_key input | secret REOCLO_API_KEY | server_id input ← secret REOCLO_SERVER_ID |
GitHub Action — reoclo/deploy-sync | api_key input | secret REOCLO_API_KEY (key needs the external_deploy operation) | none — matches services by container name |
| Reoclo CLI in CI | environment variable | REOCLO_AUTOMATION_KEY (falls back to REOCLO_API_KEY) | CLI argument — --server <name> or apps deploy <app>; no REOCLO_SERVER_ID |
| REST Automation API | Authorization: Bearer <key> header | header value | server_id in body for exec / restart / reboot · application_id in body for deploy |
Automation Key Scoping
Section titled “Automation Key Scoping”Best practice is to create separate keys for different environments and workflows:
| Key Name | Servers | Operations | Use Case |
|---|---|---|---|
github-prod-deploy | prod-1 | deploy, restart | Production deploys from main branch |
github-staging-all | staging-1 | exec, deploy, restart | Staging: full access for testing |
github-migrations | prod-1 | exec | Run database migrations only |
monitoring-restart | prod-1, prod-2 | restart | Automated recovery scripts |
Managing Keys
Section titled “Managing Keys”Viewing Keys
Section titled “Viewing Keys”The Automation Keys page shows all your keys with:
- Name and prefix (for identification)
- Server and operation scope
- Last used timestamp
- Status (Active, Expired, Revoked)
Revoking Keys
Section titled “Revoking Keys”Click the revoke button on any key to invalidate it immediately. Revoked keys cannot be used for any API calls. In-flight operations using the key will complete, but new requests are rejected.
Rotating Keys
Section titled “Rotating Keys”There is no in-place rotation. To rotate a key:
- Create a new key with the same scope
- Update the key in your CI secrets
- Verify the new key works
- Revoke the old key
If a Key Is Compromised
Section titled “If a Key Is Compromised”- Revoke immediately from the Automation Keys page
- Create a replacement key
- Update all CI secrets that used the old key
- Check the Audit Log for any unauthorized operations made with the compromised key
IDE / MCP access
Section titled “IDE / MCP access”For Claude Code, Cursor, VS Code, or any other MCP client, do not use an Automation Key. Run reoclo login and configure the CLI’s MCP server — see the MCP Setup guide.
Next Steps
Section titled “Next Steps”- CLI Authentication —
reoclo loginfor IDE/MCP access - MCP Setup — connect Claude Code, Cursor, VS Code, and others
- GitHub Actions Integration — CI/CD with Automation Keys
- Automation API Reference — endpoint documentation