--- url: /en/guide/deploy-key.md --- `Deploy Keys` are read-only credentials used by the CNB platform. They allow for the secure retrieval of repository code or artifacts within CI/CD pipelines and scripts without exposing primary account access keys. Common Use Cases: * Automated scripts fetching code or dependencies. * Passwordless repository access (read-only) in CI/CD. * Granting least-privilege access for third-party service integrations. ## Creating a Deploy Key Log in and navigate to `Organization Settings / Repository Settings / Artifact Settings` -> `Deploy Keys` -> `Add Deploy Key`. Configure the following parameters: * **Token Name:** A unique identifier for the token. * **Expiration:** The date after which the token becomes invalid. * **Scope:** Defines the specific permissions and operations authorized for the token. Once created, the token string will be displayed. ## Usage Scenarios ### Repository Access * **Username:** `cnb` * **Password:** The generated **Deploy Key** ### Artifact Library Access * **Username:** `cnb` * **Password:** The generated **Deploy Key** ### OpenAPI Access See: [Open API](../develops/openapi.md) ## Deploy Keys vs. Access Tokens * **Read-Only:** Deploy Keys are restricted to reading content; they cannot create releases or upload artifacts. * **Scope Hierarchy:** The scope is determined by where the token is created. A token created at the Organization level applies to the entire organization, while tokens created at the Repository or Artifact level are restricted to those specific resources. * **Ownership:** Access tokens are tied to specific user permissions, whereas Deploy Keys are resource-centric and independent of individual user accounts. * **OpenAPI Calls:** Deployment keys can be used to invoke AI-related OpenAPI endpoints. But when using an access token to call these endpoints, the user associated with the token must possess write permissions for the repository. ## Default Permission Rules * **Private Repositories/Artifacts:** No permissions by default; scopes must be manually selected. * **Public Repositories/Artifacts:** Read-only access is granted by default. ## Important Notes * Deploy Keys are **not** suitable for write operations (e.g., publishing or uploading). * Regularly audit token usage and revoke any that are no longer needed. * Ensure the correct scope is selected during creation to avoid "Permission Denied" errors.