Documentation sections

Automate · Settings

Manage API keys

API keys authenticate the SolidActions CLI and public REST APIs. They belong to your user account, are shown in full only once, and are independent of browser OAuth used by MCP clients.

Last reviewed July 14, 2026

In the app Settings → API Keys

Problems this solves

Start with the recurring problem, then use this feature when its boundary matches the outcome you need.

Problem

Deploy and inspect workflows from the terminal

The CLI needs authenticated access without borrowing a browser session or exposing a key in shell history.

How this helps

Create a named key with the required abilities and save it through the CLI masked prompt.

Try the credential-free first workflow after login →

Problem

Give an integration only the access it needs

A script that starts Runs should not automatically gain permission to deploy Projects or reveal secret values.

How this helps

Issue a separate, ability-scoped key for that consumer and revoke it without disrupting unrelated clients.

Create a key

  1. Choose Generate Key and give it a name that identifies its device or integration.
  2. Select only the abilities that consumer needs.
  3. Generate the key and copy the plaintext value immediately; SolidActions will not display it again.
  4. Store it in the CLI's protected config flow or a secret manager, never in source control.

Choose abilities

AbilityWhat it permits
Deploy projectsCreate/read projects, deploy source, inspect build logs, and manage deployment-side schedules, webhooks, environments, and YAML bindings.
View and trigger runsList and inspect runs and start workflows through the API or CLI.
Variables (masked)Manage variable metadata and values without revealing saved secret plaintext.
Reveal secret valuesRead plaintext secrets, including operations such as solidactions env pull.
Read and edit docsUse the public Docs REST API.

Optional workflow MCP and Pegboard scopes serve specialized clients. “All workflows” enables the beta workflow MCP server. A Pegboard scope grants one key access to one board's Pegs tools; create a separate key for another board.

Authenticate the CLI safely

npm install -g @solidactions/cli
solidactions login --global
solidactions whoami

The intended login flow asks for SolidActions API key in a masked prompt. Automation can use the CLI's explicit standard-input flow after it is available in the published package. Do not put the secret in the command itself: positional secrets can appear in shell history and process listings.

Confirm your installed CLI supports secret-safe login.

If it still requires solidactions login <api-key>, stop rather than pasting a production key. Update to the release that includes masked no-argument login, then follow the workflow quickstart.

Use a key with REST

Send the key as a bearer token over HTTPS and follow the liveOpenAPI schema for paths and request bodies. Keep the key in a secret manager or protected environment variable and redact authorization headers from logs.

Edit or revoke

Editing changes abilities and optional scopes without changing the secret itself. The list also shows creation and last-used timestamps. Revoke a key immediately when a device, integration, log, or person may have exposed it; applications using it stop working.

For planned rotation:

  1. Create a replacement with the minimum abilities.
  2. Update the consumer and verify a safe read operation.
  3. Revoke the old key.

API key or MCP connection?

Use API keys for CLI and REST clients. Use Settings → MCP Connections for chat and AI clients that authorize interactively in a browser. Crews and Dashboards are primarily accessed through MCP rather than the workflow REST abilities on this page.

Next: follow Build workflows or open the OpenAPI schema.