Security & Access Control
API Keys
API keys provide secure, long-lived authentication for CI/CD and automation.
Creating API Keys
curl -X POST https://registry.yourcompany.com/v1/workspaces/ws_ID/api-keys \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "CI/CD Pipeline",
"description": "GitHub Actions publishing",
"permissions": ["packages.read", "versions.create", "artifacts.upload"],
"expires_at": "2026-12-31T23:59:59Z"
}'Key Formats
gf_live_abc123def456... # Production key
gf_test_xyz789ghi012... # Test keyScoped Permissions
Limit keys to specific permissions:
{
"permissions": [
"packages.read", // Read package metadata
"versions.create", // Publish versions
"artifacts.upload" // Upload artifacts
]
}Best Practices
- Minimum permissions - Only grant what's needed
- Descriptive names - "GitHub Actions CI" not "Key 1"
- Set expiration - Max 1 year
- Rotate regularly - Every 90 days
- Revoke unused - Clean up old keys
Managing Keys
# List keys
curl https://registry.yourcompany.com/v1/workspaces/ws_ID/api-keys \
-H "Authorization: Bearer $TOKEN"
# Revoke key
curl -X DELETE https://registry.yourcompany.com/v1/api-keys/key_ID \
-H "Authorization: Bearer $TOKEN"Using in CI/CD
Store as secrets in your CI/CD platform:
# GitHub Actions
env:
GF_PUB_TOKEN: ${{ secrets.GAME_FRAMEWORK_TOKEN }}See CI/CD Integration for examples.
Next Steps
- Authentication - Auth methods
- CI/CD Integration - Automation