sentry-cli "401 Authentication credentials were not provided" in CI
sentry-cli sent its request to the Sentry API with no usable auth token, so the API answered 401 and the message "Authentication credentials were not provided." The connection worked; the credential was simply absent.
What this error means
A sentry-cli step (releases, sourcemaps, info) fails with "error: API request failed: 401 Unauthorized: Authentication credentials were not provided." The token env var or --auth-token flag is empty in CI.
error: API request failed
caused by: sentry reported an error: Authentication credentials were not provided. (http status: 401)Common causes
SENTRY_AUTH_TOKEN is unset in the job
The secret was never exposed to the step, or the env var name is misspelled, so sentry-cli sends an anonymous request and the API returns 401.
The token is empty on a fork or for a different env
Secrets are not passed to workflows triggered from forks, so SENTRY_AUTH_TOKEN resolves to an empty string and authentication never happens.
How to fix it
Set SENTRY_AUTH_TOKEN from a secret
- Create an auth token in Sentry under Settings, Auth Tokens.
- Store it as a repository or organization secret.
- Expose it as
SENTRY_AUTH_TOKENin the step env so sentry-cli reads it automatically.
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
run: sentry-cli releases new "$GITHUB_SHA"Confirm the token actually reaches the CLI
Print only that the variable is non-empty (never the value) to confirm the secret was injected before the failing call.
test -n "$SENTRY_AUTH_TOKEN" || { echo "SENTRY_AUTH_TOKEN is empty"; exit 1; }How to prevent it
- Keep the auth token in CI secrets and reference it by the exact env name sentry-cli expects.
- Guard early with a non-empty check so the failure is obvious.
- Remember fork-triggered runs have no secrets; skip release steps there.