API Keys
API keys provide programmatic access to the deploybase API without requiring an interactive login. They are used for CI/CD integrations, scripts, and the MCP server.
Key Format
Section titled “Key Format”API keys use the dbk_ prefix:
dbk_a1b2c3d4e5f6g7h8i9j0...Keys are high-entropy random strings. They are hashed with SHA-256 before storage — deploybase cannot recover a lost key.
Authentication
Section titled “Authentication”Include the API key in the Authorization header:
curl https://api.deploybase.eu/api/v1/projects \ -H "Authorization: Bearer dbk_your_api_key_here"API keys and JWT tokens use the same Authorization: Bearer header. The backend distinguishes them by the dbk_ prefix.
API keys are scoped to a tenant (organization). A key can access all projects, deployments, and domains within its tenant. There is no per-project key scoping.
Managing Keys
Section titled “Managing Keys”Create a Key
Section titled “Create a Key”Generate a new API key from the dashboard under Settings > API Keys. The full key is displayed once at creation — copy it immediately.
Revoke a Key
Section titled “Revoke a Key”Revoking a key is immediate. Any request using the revoked key returns 401 Unauthorized.
Rotation
Section titled “Rotation”Best practice: rotate API keys quarterly. Create a new key, update your integrations, then revoke the old key.
Rate Limits
Section titled “Rate Limits”API key requests are rate-limited at 100 requests per minute per tenant (same as authenticated user requests).
Use Cases
Section titled “Use Cases”- CI/CD pipelines: Trigger deployments from GitHub Actions, GitLab CI, or Woodpecker
- MCP server: Authenticate the deploybase MCP server for AI-assisted deployments
- Scripts: Automate project creation, bulk operations, or monitoring
Security
Section titled “Security”- Never commit API keys to Git repositories
- Store keys in CI/CD secrets or environment variables
- Use separate keys for different environments (staging, production) if needed
- Monitor key usage via the dashboard