Skip to content

API Keys

API keys provide programmatic access to the deploybase API without requiring an interactive login. They are used for CI/CD integrations, scripts, and the MCP server.

API keys use the dbk_ prefix:

dbk_a1b2c3d4e5f6g7h8i9j0...

Keys are high-entropy random strings. They are hashed with SHA-256 before storage — deploybase cannot recover a lost key.

Include the API key in the Authorization header:

Terminal window
curl https://api.deploybase.eu/api/v1/projects \
-H "Authorization: Bearer dbk_your_api_key_here"

API keys and JWT tokens use the same Authorization: Bearer header. The backend distinguishes them by the dbk_ prefix.

API keys are scoped to a tenant (organization). A key can access all projects, deployments, and domains within its tenant. There is no per-project key scoping.

Generate a new API key from the dashboard under Settings > API Keys. The full key is displayed once at creation — copy it immediately.

Revoking a key is immediate. Any request using the revoked key returns 401 Unauthorized.

Best practice: rotate API keys quarterly. Create a new key, update your integrations, then revoke the old key.

API key requests are rate-limited at 100 requests per minute per tenant (same as authenticated user requests).

  • CI/CD pipelines: Trigger deployments from GitHub Actions, GitLab CI, or Woodpecker
  • MCP server: Authenticate the deploybase MCP server for AI-assisted deployments
  • Scripts: Automate project creation, bulk operations, or monitoring
  • Never commit API keys to Git repositories
  • Store keys in CI/CD secrets or environment variables
  • Use separate keys for different environments (staging, production) if needed
  • Monitor key usage via the dashboard