Skip to content
Shorebird

API Keys

API keys let you authenticate with Shorebird from CI systems and other automated environments. You can create, view, and revoke API keys from the Shorebird Console.

Creating an API Key

Section titled “Creating an API Key”
  1. Open Account → API Keys in the console.
  2. Click Create API Key.
  3. Enter a descriptive name (e.g., “GitHub Actions — my-app”).
  4. Choose an expiration period.
  5. Select a permission level.
  6. Click Create.

The full key value is shown exactly once after creation. Copy it and store it securely — it cannot be retrieved again.

Using an API Key

Section titled “Using an API Key”

Set the key as the SHOREBIRD_TOKEN environment variable in your CI platform. Shorebird CLI commands will authenticate automatically when this variable is present.

export SHOREBIRD_TOKEN="<your-api-key>"
shorebird patch android

For platform-specific setup, see our CI guides for GitHub Actions, Codemagic, or the generic CI guide.

Expiration

Section titled “Expiration”

API keys default to a one-year expiration. During creation you can choose from:

  • 30 days
  • 90 days
  • 1 year (default)
  • No expiration

All expiration options are available on every plan.

Permissions

Section titled “Permissions”

API keys support two permission levels:

  • Full access — the key has the same permissions as your account. Available on all plans.
  • Release & Patch only — the key can create releases and patches, but cannot manage apps, organizations, members, or billing. Available on Pro and Business plans.

Revoking an API Key

Section titled “Revoking an API Key”

To revoke a key, find it in the API Keys list and click Delete. Revocation is immediate — any CI pipeline using that key will fail on its next run. This action cannot be undone.

Migrating from shorebird login:ci

Section titled “Migrating from shorebird login:ci”

The shorebird login:ci command is deprecated. Existing tokens generated by login:ci will continue to work until September 2026, but we recommend replacing them with API keys created from the console.

To migrate:

  1. Create a new API key in the console.
  2. Replace the SHOREBIRD_TOKEN value in your CI secrets with the new key.
  3. Verify your CI pipeline runs successfully.

The SHOREBIRD_TOKEN environment variable name has not changed, so no workflow file edits are needed beyond updating the secret value.

Security

Section titled “Security”
  • API keys use the sb_api_ prefix. This prefix is registered with GitHub secret scanning, so leaked keys in public repositories are flagged automatically.
  • Keys are stored as irreversible hashes. Shorebird cannot retrieve a key value after creation.
  • Treat API keys like passwords. Store them in your CI platform’s secrets manager and do not commit them to source control.