Skip to content
Latchkey

Spacelift "spacectl" unauthorized / API key error in CI

spacectl authenticates to your Spacelift account with an API key id and secret against your account endpoint. If any of SPACELIFT_API_KEY_ENDPOINT, SPACELIFT_API_KEY_ID, or SPACELIFT_API_KEY_SECRET is missing or wrong, the CLI cannot get a token and every call is unauthorized.

What this error means

A spacectl command in CI fails with an unauthorized or authentication error, or "could not obtain a token". Interactive login is not available on a runner, so the env-var flow must be complete.

spacectl
Error: could not authenticate to Spacelift: unauthorized

make sure SPACELIFT_API_KEY_ENDPOINT, SPACELIFT_API_KEY_ID and
SPACELIFT_API_KEY_SECRET are set correctly

Common causes

Missing or wrong API key variables

spacectl in CI reads the endpoint, key id, and key secret from environment variables. A blank or incorrect value yields unauthorized.

The endpoint does not match your account

The endpoint must be your account URL (for example https://<account>.app.spacelift.io). A wrong host rejects the key.

How to fix it

Set the three spacectl variables

  1. Create an API key in Spacelift and copy the id and secret.
  2. Store them as CI secrets alongside your account endpoint.
  3. Export all three for the spacectl step.
.github/workflows/ci.yml
env:
  SPACELIFT_API_KEY_ENDPOINT: https://acme.app.spacelift.io
  SPACELIFT_API_KEY_ID: ${{ secrets.SPACELIFT_KEY_ID }}
  SPACELIFT_API_KEY_SECRET: ${{ secrets.SPACELIFT_KEY_SECRET }}

Verify the key is active

A revoked or disabled API key still reaches the API but is rejected. Confirm the key exists and is enabled in Spacelift.

How to prevent it

  • Keep the endpoint, id, and secret together as a set in CI secrets.
  • Rotate the API key secret and update CI in one place.
  • Fail fast if any of the three variables is empty.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →