Spacelift "spacectl" unauthorized / API key error in CI
spacectl authenticates to your Spacelift account with an API key id and secret against your account endpoint. If any of SPACELIFT_API_KEY_ENDPOINT, SPACELIFT_API_KEY_ID, or SPACELIFT_API_KEY_SECRET is missing or wrong, the CLI cannot get a token and every call is unauthorized.
What this error means
A spacectl command in CI fails with an unauthorized or authentication error, or "could not obtain a token". Interactive login is not available on a runner, so the env-var flow must be complete.
Error: could not authenticate to Spacelift: unauthorized
make sure SPACELIFT_API_KEY_ENDPOINT, SPACELIFT_API_KEY_ID and
SPACELIFT_API_KEY_SECRET are set correctlyCommon causes
Missing or wrong API key variables
spacectl in CI reads the endpoint, key id, and key secret from environment variables. A blank or incorrect value yields unauthorized.
The endpoint does not match your account
The endpoint must be your account URL (for example https://<account>.app.spacelift.io). A wrong host rejects the key.
How to fix it
Set the three spacectl variables
- Create an API key in Spacelift and copy the id and secret.
- Store them as CI secrets alongside your account endpoint.
- Export all three for the spacectl step.
env:
SPACELIFT_API_KEY_ENDPOINT: https://acme.app.spacelift.io
SPACELIFT_API_KEY_ID: ${{ secrets.SPACELIFT_KEY_ID }}
SPACELIFT_API_KEY_SECRET: ${{ secrets.SPACELIFT_KEY_SECRET }}Verify the key is active
A revoked or disabled API key still reaches the API but is rejected. Confirm the key exists and is enabled in Spacelift.
How to prevent it
- Keep the endpoint, id, and secret together as a set in CI secrets.
- Rotate the API key secret and update CI in one place.
- Fail fast if any of the three variables is empty.