Heroku "Invalid credentials provided" (HEROKU_API_KEY) in CI
The Heroku CLI authenticates non-interactively with HEROKU_API_KEY. When the key is unset, expired, or wrong, the platform rejects the request with "Invalid credentials provided".
What this error means
A Heroku CLI command in CI fails with "Invalid credentials provided." or "Your API key is expired or invalid".
Heroku CLI
▸ Invalid credentials provided.Common causes
Missing or wrong API key
CI cannot run heroku login, so without a valid HEROKU_API_KEY the CLI has no usable credential.
An expired or rotated key
The key was regenerated or the account password changed, invalidating the old key the CI secret still holds.
How to fix it
Set HEROKU_API_KEY from a secret
- Generate an authorization token with
heroku authorizations:create. - Store it as a CI secret named
HEROKU_API_KEY. - Expose it to the deploy step env.
.github/workflows/ci.yml
env:
HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }}Rotate and update an expired key
If the key expired, create a new long-lived authorization token and update the CI secret.
Terminal
heroku authorizations:create -d "ci-deploy"How to prevent it
- Use a long-lived authorization token, not an interactive login.
- Keep
HEROKU_API_KEYin CI secrets. - Rotate the token on a schedule and update the secret centrally.
Related guides
Heroku "Couldn't find that app" in CIFix Heroku "Couldn't find that app" in CI - the app name passed to the CLI or git remote does not exist or th…
Heroku "Push rejected, failed to compile" in CIFix Heroku "Push rejected, failed to compile" on git push deploy in CI - a buildpack could not build the app,…
Render API "401 Unauthorized" (API key) in CIFix Render API "401 Unauthorized" when triggering a deploy from CI - the RENDER_API_KEY is missing, wrong, or…