--- url: /en/guide/deploy-key.md description: >- Describes CNB deploy keys, which are read-only credentials for securely accessing repositories in CI/CD pipelines and scripts without exposing primary account credentials. --- `Deploy Keys` are read-only credentials on the CNB platform. They allow secure retrieval of repository code or artifacts in CI/CD pipelines or automated scripts without exposing primary account keys. Common use cases: * Automated scripts fetching code or dependency artifacts * Passwordless repository access (read-only) in CI/CD * Granting least-privilege access for third-party service integrations ## Creating a Deploy Key Log in and navigate to `Organization Settings / Repository Settings / Artifact Settings` → `Deploy Keys` → `Add Deploy Key`, and configure the following parameters: * **Token Name:** Unique identifier for the token * **Expiration:** Token expiry time; the token becomes unusable after expiration * **Scope:** Permissions authorized for the token ## Usage Scenarios **Accessing Code Repositories:** * Username: `cnb` * Password: The added deploy key **Accessing Artifact Repositories:** * Username: `cnb` * Password: The added deploy key ### Accessing OpenAPI See: [Open API](../develops/openapi.md) ## Deploy Keys vs. Access Tokens * **Read-Only:** Deploy Keys can only read repository or artifact content; they cannot create releases or upload artifacts * **Scope:** Determined by the resource level where the key is created — organization level for the entire organization, repository level for that repository, artifact level for that artifact * **Ownership:** Access tokens are tied to user permissions; deploy keys are resource-centric with no user association * **OpenAPI Calls:** Deploy Keys can invoke AI-related OpenAPI endpoints. Access tokens require the associated user to have repository write permissions for these endpoints ## Default Permission Rules * **Private Repositories/Artifacts:** No permissions by default; scopes must be manually selected * **Public Repositories/Artifacts:** Read-only access by default ## Important Notes * Deploy Keys are not suitable for write operations (e.g., publishing or uploading artifacts) * Regularly audit token usage and revoke any that are no longer needed * Ensure the correct scope is selected during creation to avoid permission errors due to unchecked defaults