> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ghostable.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Deploy Tokens

> Deploy tokens are automation-only identities for CI, scripts, and deployment runners.

<Card title="Read the security model" icon="lock" href="/fundamentals/v2/overview/security-model">
  Deploy tokens are the automation counterpart to human-linked devices.
</Card>

## What a Deploy Token Is

A deploy token is a scoped automation identity that can fetch and decrypt one environment without
using a human session. Each token issues two secrets:

* `GHOSTABLE_CI_TOKEN` for API authentication.
* `GHOSTABLE_DEPLOY_SEED` for the private cryptographic material used by the runner.

## When to Use One

Deploy tokens are the right choice for:

* CI pipelines.
* Build runners.
* Deployment hooks.
* Scheduled automation.

They are not meant for local development or interactive team workflows.

## Lifecycle Expectations

Treat deploy tokens like production credentials:

* Scope them narrowly, ideally one token per environment.
* Rotate them on a schedule or after exposure.
* Revoke them immediately when a runner is retired.
* Store both values in a proper secret manager.

## Continue with Your Client

<CardGroup>
  <Card title="Create from Desktop" icon="laptop" href="/desktop/v1/daily-work/deploy-tokens">
    Use the environment Deploy Tokens view to issue, rotate, and revoke secrets.
  </Card>

  <Card title="Create from CLI" icon="terminal" href="/cli/v2/workflows/deploy-tokens">
    Use the CLI to issue automation credentials from a trusted workstation.
  </Card>
</CardGroup>