Last updated December 12, 2024

Private Spaces have a trust boundary which your team can deploy and manage apps that handle sensitive data. The ability to create apps in a space is constrained to team administrators and users with the app creation permission for the space. For Heroku Enterprise Teams, the administrator for the Enterprise Team can give other members additional access using fine-grained access controls after creating an app.

Create an App in a Private Space

The only users who can create apps in a Private Space are:

• Team administrators
• Team members that have been granted the app creation permission by an administrator. (This can be done in the Heroku Dashboard by clicking on the Space and then clicking Access.)

In the Heroku Dashboard, click on a space and choose Create New App.

In the Heroku CLI use the create command:

$ heroku create my-space-app --space my-space-name
Creating my-space-app in space my-space-name... done
http://my-space-app-1234567890ab.herokuapp.com/ | https://git.heroku.com/my-space-app.git

Admins on Heroku Enterprise Teams can grant other team members access using one of several app permissions after creating the app. Only grant more than view permissions to members trusted to access any sensitive data protected by the space. Only grant access to staging and development environments to all other members who develop on the app but who don’t need production access.

Deploy an App in a Private Space

Deploy code to Private Space apps in the same ways as with Common Runtime apps, such as by using git push heroku main or a GitHub integration.

Scaling a Process

Scaling your dyno formation follows the same pattern within Private Spaces as with the Common Runtime. For example:

$  heroku ps:scale web=2 worker=1

If your app requires high availability, we suggest that you scale up your dyno formation to a minimum of 3 dynos for each process type. This helps maintain application availability in the unlikely scenario of an AZ failure.

One-Off Dynos

“One-off” dynos are available via heroku run:

$ heroku run bash
Running bash...
▸    WARNING: Warning: Dynos can take up to a few minutes to be provisioned in Private Spaces.

List Apps in a Private Space

All team members can view all apps in a Private Space:

$ heroku apps --space my-space-name
=== Apps in space my-space-name
my-space-app-1
my-space-app-2

View Info About an App in a Private Space

All team admins can view detailed info about a single app in a Private Space:

$ heroku info --app my-space-app
=== my-space-app
Collaborators: my-team-name@example.com

Git URL:       https://git.heroku.com/my-space-app.git
Owner:         my-team-name
Region:        tokyo
Space:         my-space-name
Stack:         heroku-20
Web URL:       http://my-space-app-1234567890ab.herokuapp.com/

Destroy an App in a Private Space

Team admins and members who have manage permission on an app can destroy it:

$ heroku apps:destroy -a my-space-app
Destroying my-space-app (including all add-ons)... done

Adding Custom Domains and SSL

Only team administrators and members who have manage permission on an app can add custom domains and manage SSL.

SSL and custom domains for apps in Spaces are handled similarly to apps in the Common Runtime. See the Custom Domains and SSL documentation for detailed steps.

Additional Reading

• Heroku Private Spaces
• Working with Private Spaces
• Add-ons and Private Spaces