Read the security model
Deploy tokens are the automation counterpart to human-linked devices.
What a Deploy Token Is
A deploy token is a scoped automation identity that can fetch and decrypt one environment without using a human session. Each token issues two secrets:GHOSTABLE_CI_TOKENfor API authentication.GHOSTABLE_DEPLOY_SEEDfor the private cryptographic material used by the runner.
When to Use One
Deploy tokens are the right choice for:- CI pipelines.
- Build runners.
- Deployment hooks.
- Scheduled automation.
Lifecycle Expectations
Treat deploy tokens like production credentials:- Scope them narrowly, ideally one token per environment.
- Rotate them on a schedule or after exposure.
- Revoke them immediately when a runner is retired.
- Store both values in a proper secret manager.
Continue with Your Client
Create from Desktop
Use the environment Deploy Tokens view to issue, rotate, and revoke secrets.
Create from CLI
Use the CLI to issue automation credentials from a trusted workstation.