Use API keys when automation can’t complete a browser login. They authenticate with bearer auth, skip CSRF checks, and carry explicit scopes — so each job gets exactly the access it needs and nothing more.
Create a key artifacts keys create --name ci --scopes artifacts:read,artifacts:create,artifacts:update
If you omit --scopes, the CLI defaults to:
artifacts:read,artifacts:create,artifacts:update
The raw secret is shown once, at creation. Store it in your secret manager immediately — never commit it.
Use a key Provide the token through an environment variable, or pipe it in over stdin to keep it off the process list.
Environment variable
stdin
REST
export AGENT_ARTIFACTS_BASE_URL = "https://api.example.com" export AGENT_ARTIFACTS_TOKEN = "aa_live_..." artifacts whoami --format json artifacts push --owner alice --project-slug default --file ./report.md --no-input
Run non-interactively Set AGENT_ARTIFACTS_NO_INPUT=1 (or pass --no-input) so jobs fail fast instead of trying to open a browser:
export AGENT_ARTIFACTS_NO_INPUT = 1 export AGENT_ARTIFACTS_TOKEN = "aa_live_..." artifacts artifact list --format json
Manage keys REST equivalents:
GET /api/api-keys DELETE /api/api-keys/:apiKeyId
Available scopes Scope Allows artifacts:readRead artifacts, versions, content, diffs, and project lists artifacts:createCreate artifacts and projects artifacts:updateAppend versions and restore versions artifacts:deleteSoft-delete artifacts artifacts:shareCreate, list, and revoke share links artifacts:access:readRead artifact access settings artifacts:access:writeUpdate artifact access settings agents:manageManage API keys and agent credentials
Example: publish a report from CI set -euo pipefail export AGENT_ARTIFACTS_BASE_URL = "https://api.example.com" export AGENT_ARTIFACTS_NO_INPUT = 1 bun run build:report artifacts push \ --token " $AGENT_ARTIFACTS_TOKEN " \ --owner " $ARTIFACTS_OWNER " \ --project-slug ci \ --file ./out/report.html \ --title "CI report for $GITHUB_SHA " \ --private \ --format json
Stay safe
Give each automation its own key.
Use the smallest scope set that completes the job.
Prefer environment variables or stdin over flags on shared hosts.
Revoke keys the moment a job or agent is retired.
Use --dry-run to preview mutating CLI calls while building a pipeline.
