Skip to content

API Keys

Automation Keys are designed for CI/CD pipelines. They are scoped to specific servers and operations, with optional IP restrictions and rate limiting.

  1. Navigate to Automation Keys in the dashboard sidebar
  2. Click Create Automation Key
  3. Enter a name (e.g., github-prod-deploy)
  4. Configure server scope: select specific servers or allow all
  5. Configure allowed operations: exec, deploy, restart, reboot, registry_login, registry_logout
  6. Configure allowed registry credentials (for registry_login): select the registry credentials the key may pass to reoclo/docker-auth. Empty = all credentials in the tenant.
  7. Optionally expand Advanced Settings:
    • Expiration: 30 days, 90 days, 1 year, or Never
    • IP Allowlist: restrict to specific IPs or CIDR ranges (e.g., GitHub runner IPs)
    • Rate Limit: requests per minute (default: 100)
  8. Click Create
  9. Copy the key immediately — it is shown only once

Use reoclo/run and reoclo/checkout:

steps:
- name: Checkout code on server
uses: reoclo/checkout@v2
with:
api_key: ${{ secrets.REOCLO_API_KEY }}
server_id: ${{ secrets.REOCLO_SERVER_ID }}
path: /srv/reoclo/myapp
token: ${{ github.token }}
- name: Build and deploy
uses: reoclo/run@v2
with:
api_key: ${{ secrets.REOCLO_API_KEY }}
server_id: ${{ secrets.REOCLO_SERVER_ID }}
working_directory: /srv/reoclo/myapp
command: |
docker compose -f docker-compose.prod.yml build
docker compose -f docker-compose.prod.yml up -d
timeout: 600
Terminal window
curl -X POST https://api.reoclo.com/api/automation/v1/exec \
-H "Authorization: Bearer rca_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"server_id": "your-server-id",
"command": "cd /srv/reoclo/myapp && docker compose -f docker-compose.prod.yml up -d",
"timeout_seconds": 300
}'

If a CI job needs the full CLI (not just reoclo/run / reoclo/checkout), set REOCLO_AUTOMATION_KEY in the environment:

- name: Deploy via reoclo CLI
env:
REOCLO_AUTOMATION_KEY: ${{ secrets.REOCLO_AUTOMATION_KEY }}
run: |
npx -y @reoclo/cli apps deploy my-app --ref ${{ github.sha }}

The CLI honors REOCLO_AUTOMATION_KEY for unattended use without invoking OAuth.

Every integration method below authenticates with the same Automation Key (rca_*) — only the variable name and how you point at a server or app differ. Use this table to pick the right secret and target for the method you are wiring up.

MethodKey passed asSecret / env varTarget identifier
GitHub Action — reoclo/run, reoclo/checkout, reoclo/docker-authapi_key inputsecret REOCLO_API_KEYserver_id input ← secret REOCLO_SERVER_ID
GitHub Action — reoclo/deploy-syncapi_key inputsecret REOCLO_API_KEY (key needs the external_deploy operation)none — matches services by container name
Reoclo CLI in CIenvironment variableREOCLO_AUTOMATION_KEY (falls back to REOCLO_API_KEY)CLI argument — --server <name> or apps deploy <app>; no REOCLO_SERVER_ID
REST Automation APIAuthorization: Bearer <key> headerheader valueserver_id in body for exec / restart / reboot · application_id in body for deploy

Best practice is to create separate keys for different environments and workflows:

Key NameServersOperationsUse Case
github-prod-deployprod-1deploy, restartProduction deploys from main branch
github-staging-allstaging-1exec, deploy, restartStaging: full access for testing
github-migrationsprod-1execRun database migrations only
monitoring-restartprod-1, prod-2restartAutomated recovery scripts

The Automation Keys page shows all your keys with:

  • Name and prefix (for identification)
  • Server and operation scope
  • Last used timestamp
  • Status (Active, Expired, Revoked)

Click the revoke button on any key to invalidate it immediately. Revoked keys cannot be used for any API calls. In-flight operations using the key will complete, but new requests are rejected.

There is no in-place rotation. To rotate a key:

  1. Create a new key with the same scope
  2. Update the key in your CI secrets
  3. Verify the new key works
  4. Revoke the old key
  1. Revoke immediately from the Automation Keys page
  2. Create a replacement key
  3. Update all CI secrets that used the old key
  4. Check the Audit Log for any unauthorized operations made with the compromised key

For Claude Code, Cursor, VS Code, or any other MCP client, do not use an Automation Key. Run reoclo login and configure the CLI’s MCP server — see the MCP Setup guide.