Skip Navigation
Show nav
Heroku Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
View categories

Categories

  • Heroku Architecture
    • Dynos (app containers)
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Command Line
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery
    • Continuous Integration
  • Language Support
    • Node.js
    • Ruby
      • Working with Bundler
      • Rails Support
    • Python
      • Background Jobs in Python
      • Working with Django
    • Java
      • Working with Maven
      • Java Database Operations
      • Java Advanced Topics
      • Working with Spring Boot
    • PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
    • Heroku Data For Redis
    • Apache Kafka on Heroku
    • Other Data Stores
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
    • Compliance
  • Heroku Enterprise
    • Private Spaces
      • Infrastructure Networking
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
    • Single Sign-on (SSO)
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Command Line
  • Heroku CLI Authentication

Heroku CLI Authentication

English — 日本語に切り替える

Last updated March 13, 2023

Table of Contents

  • API token storage
  • Retrieving the API token
  • Netrc file format

Authentication to Heroku uses one of the following mechanisms, depending on the situation:

  • Web-based authentication
  • Email and password
  • API token
  • SSH key

The email address and password are used by the heroku command to obtain an API token. This token is used for authentication in all other Heroku API requests, and can be regenerated at will by the user in the heroku.com web interface. Regenerating an API token invalidates the current token and creates a new one. If a user changes their password, their API token regenerates.

The SSH key is used for git push authentication when using SSH Git transport. You can use heroku keys to manage your SSH keys on Heroku.

API token storage

The Heroku command-line tool stores API tokens in the standard Unix file ~/.netrc ($HOME\_netrc on Windows).

The netrc format is well-established and well-supported by various network tools on unix. With Heroku credentials stored in this file, other tools such as curl -n can access the Heroku API with little or no extra work. When using the default HTTP transport, Git uses cURL, and cURL will use the API key stored in .netrc to authenticate with the Heroku HTTP Git service.

Setting the HEROKU_API_KEY environment variable on your machine will override any token set in the netrc file.

Usage examples

Running heroku login (or any other heroku command that requires authentication) creates or updates your ~/.netrc file:

$ heroku login
heroku: Press any key to open up the browser to login or q to exit
 ›   Warning: If browser does not open, visit
 ›   https://cli-auth.heroku.com/auth/browser/***
heroku: Waiting for login...
Logging in... done
Logged in as me@example.com
$ cat ~/.netrc
machine api.heroku.com
  login me@example.com
  password c4cd94da15ea0544802c2cfd5ec4ead324327430
machine git.heroku.com
  login me@example.com
  password c4cd94da15ea0544802c2cfd5ec4ead324327430

Retrieving the API token

You can display the token via the CLI:

$ heroku auth:token
c4cd94da15ea0544802c2cfd5ec4ead324327430

Netrc file format

The file contains a list of free-form records and comments. Comments start with a # (hash) symbol and continue to the end of the line. Each record is of the form:

machine api.heroku.com
  login me@example.com
  password ABC123

The password field is actually an oauth token. Using the account’s password is invalid and will not work here.

Keep reading

  • Command Line

Feedback

Log in to submit feedback.

Using CLI Plugins Heroku CLI Autocomplete

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Podcasts
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing

Subscribe to our monthly newsletter

Your email address:

  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Heroku Podcasts
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Facebook
  • Instagram
  • Github
  • LinkedIn
  • YouTube
Heroku is acompany

 © Salesforce.com

  • heroku.com
  • Terms of Service
  • Privacy
  • Cookies
  • Cookie Preferences