Skip to content
Latchkey

Heroku "Invalid credentials provided" (HEROKU_API_KEY) in CI

The Heroku CLI authenticates non-interactively with HEROKU_API_KEY. When the key is unset, expired, or wrong, the platform rejects the request with "Invalid credentials provided".

What this error means

A Heroku CLI command in CI fails with "Invalid credentials provided." or "Your API key is expired or invalid".

Heroku CLI
 ▸    Invalid credentials provided.

Common causes

Missing or wrong API key

CI cannot run heroku login, so without a valid HEROKU_API_KEY the CLI has no usable credential.

An expired or rotated key

The key was regenerated or the account password changed, invalidating the old key the CI secret still holds.

How to fix it

Set HEROKU_API_KEY from a secret

  1. Generate an authorization token with heroku authorizations:create.
  2. Store it as a CI secret named HEROKU_API_KEY.
  3. Expose it to the deploy step env.
.github/workflows/ci.yml
env:
  HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }}

Rotate and update an expired key

If the key expired, create a new long-lived authorization token and update the CI secret.

Terminal
heroku authorizations:create -d "ci-deploy"

How to prevent it

  • Use a long-lived authorization token, not an interactive login.
  • Keep HEROKU_API_KEY in CI secrets.
  • Rotate the token on a schedule and update the secret centrally.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →