What is an Auth Token in Heroku?

An Auth Token is a secret API key generated by Heroku for programmatic access. It acts as a bearer token, allowing the holder to interact with the Heroku API on behalf of the user who generated it, commonly used by the Heroku CLI and custom scripts.

How do I log in to the Heroku CLI?

You log in to the Heroku CLI by running the command `heroku login` in your terminal. This opens a browser for you to enter your Heroku email and password, then securely stores an Auth Token locally for future CLI commands.

Can I use Multi-Factor Authentication (MFA) with Heroku?

Yes, Heroku strongly recommends and supports Multi-Factor Authentication (MFA) for all user accounts. You can enable MFA through your Heroku Dashboard account settings using a TOTP authenticator app.

When should I use OAuth 2.0 for Heroku authentication?

OAuth 2.0 should be used when you need to grant limited, delegated access to your Heroku account for third-party applications, CI/CD systems, or custom integrations without sharing your primary credentials. It allows users to approve specific permissions (scopes).

How do I revoke an Auth Token or authorized OAuth application?

You can revoke Auth Tokens and authorized OAuth applications from your Heroku Dashboard under Account Settings. For API Keys, you can generate a new one, which invalidates the old one. For OAuth apps, remove them from the 'Authorized Applications' list.

Is it safe to store my Heroku Auth Token in environment variables?

Storing Heroku Auth Tokens in environment variables (e.g., on a server or build system) is generally considered a secure practice, provided the environment itself is secured. This avoids hardcoding credentials directly into source code.

What happens if someone gets my Heroku Auth Token?

If someone obtains your Heroku Auth Token, they could gain full access to your Heroku account and resources, including deploying code, managing apps, and accessing data. You should immediately generate a new API key in your Dashboard to invalidate the compromised token.

Heroku Authentication: Methods, Credentials, and Security (2026)

Heroku authentication: secures access to applications, databases, and services deployed on the platform. It primarily uses API keys (Auth Tokens) and OAuth 2.0 for programmatic access, alongside email/password for the Heroku Dashboard and CLI. Understanding these methods is crucial for managing deployments and maintaining application security.

Authentication overview

Heroku implements authentication mechanisms to secure access to its platform, applications, and managed services. This includes access to the Heroku Dashboard, the Heroku Command Line Interface (CLI), and the Heroku API. The platform supports various authentication methods tailored for different use cases, ranging from interactive user sessions to programmatic access for integrations and automated workflows. Effective authentication is a foundational aspect of application security and operational integrity on Heroku.

For interactive access, such as logging into the Heroku Dashboard, users typically provide an email and password, often augmented with multi-factor authentication (MFA). For programmatic interactions, like deploying applications via the Heroku CLI or integrating with third-party tools, Heroku relies on API keys, referred to as Auth Tokens, and the OAuth 2.0 authorization framework. These mechanisms ensure that only authorized entities can perform actions on behalf of a user or application.

Heroku's approach to authentication aligns with common industry practices for cloud platforms, emphasizing secure credential management and granular control over permissions. Users are encouraged to adopt strong passwords, enable MFA, and manage API keys with care to prevent unauthorized access. The platform's documentation provides detailed guidance on setting up and managing these authentication methods to maintain a secure development and deployment environment.

Supported authentication methods

Heroku supports several authentication methods to accommodate different access requirements:

Email and Password: This is the standard method for logging into the Heroku Dashboard and the Heroku CLI for interactive sessions. It typically involves a username (email address) and a confidential password.
Multi-Factor Authentication (MFA): Heroku offers MFA as an additional layer of security for user accounts. When enabled, users must provide a second verification factor (e.g., a code from an authenticator app) in addition to their password during login. Heroku supports common MFA methods to enhance account security, as detailed in the Heroku Multi-Factor Authentication guide.
Auth Tokens (API Keys): These are long-lived, secret tokens generated by Heroku for programmatic access. Auth Tokens are used by the Heroku CLI when performing automated tasks, and can also be used by other scripts or services to interact directly with the Heroku API. They act as bearer tokens, granting access to the resources associated with the user account that generated them.
OAuth 2.0: Heroku utilizes OAuth 2.0 for third-party applications and services to request limited access to a user's Heroku account without sharing the user's credentials. This is particularly useful for integrations with developer tools, continuous integration/continuous deployment (CI/CD) pipelines, or monitoring services. OAuth 2.0 provides a secure and standardized way for delegated authorization, allowing users to grant specific permissions to applications, as described in the OAuth 2.0 specification.

The choice of authentication method depends on the specific use case. For interactive user access, email/password with MFA is standard. For automated scripts and integrations, Auth Tokens and OAuth 2.0 are the primary mechanisms.

Heroku Authentication Methods Overview
Method	When to Use	Security Level	Typical Credential
Email & Password	Heroku Dashboard, initial CLI login	Moderate (Enhanced with MFA)	Email address, password
Multi-Factor Authentication (MFA)	Any interactive login with MFA enabled	High	Second factor (e.g., TOTP code)
Auth Token (API Key)	Heroku CLI for automation, direct API calls, scripts	High (bearer token security depends on storage)	Long-lived alphanumeric string
OAuth 2.0	Third-party integrations, delegated authorization	High (with refresh tokens and scopes)	Client ID, Client Secret, Authorization Code, Access Token

Getting your credentials

Accessing Heroku requires obtaining the correct credentials for your chosen authentication method:

Heroku Dashboard Account (Email & Password):

If you don't have a Heroku account, you can create one directly on the Heroku website. This process typically involves providing an email address and setting a password. Once registered, you use these credentials to log into the Heroku Dashboard.
Multi-Factor Authentication (MFA) Setup:

After creating an account, it's highly recommended to enable MFA. This is done through your Heroku account settings in the Dashboard. Navigate to Account Settings > Multi-Factor Authentication and follow the instructions to link an authenticator app (like Google Authenticator or Authy) to your account. This setup generates time-based one-time passwords (TOTP) that you will use during login.
Auth Tokens (API Keys):

Auth Tokens are generated within your Heroku Dashboard. To obtain an Auth Token:
1. Log in to the Heroku Dashboard Account page.
2. Scroll down to the 'API Key' section.
3. Click 'Reveal' to display your current API key. You can also generate a new one if needed by clicking 'Generate New API Key'.
This token should be treated as sensitive as your password because it grants full access to your Heroku resources. Record it securely after revelation. The Heroku CLI automatically uses an Auth Token after you log in via heroku login, storing it locally in ~/.netrc on Unix-like systems, as described in the Heroku Dev Center authentication article.
OAuth 2.0 Credentials (Client ID & Client Secret):

To use OAuth 2.0 for your application, you must register your application with Heroku. This is typically done through the Heroku Dashboard under 'Apps' -> 'Create new app' or through the 'Developer Tools' section, where you can define an OAuth client. Upon registration, Heroku provides a Client ID and a Client Secret. These credentials identify your application and are used in the OAuth flow to obtain authorization from users. The Client Secret must be kept confidential and never exposed in client-side code.

Authenticated request example

This example demonstrates an authenticated request using an Auth Token to interact with the Heroku API via curl. This pattern applies to any HTTP client or programming language:

# Replace YOUR_HEROKU_AUTH_TOKEN with your actual Auth Token
# You can get your auth token from the Heroku Dashboard under Account Settings.

# Example: List your Heroku applications
curl -X GET https://api.heroku.com/apps \
  -H "Accept: application/vnd.heroku+json; version=3" \
  -H "Authorization: Bearer YOUR_HEROKU_AUTH_TOKEN"

In this request:

-X GET specifies the HTTP method.
https://api.heroku.com/apps is the API endpoint to list applications.
-H "Accept: application/vnd.heroku+json; version=3" sets the Accept header, specifying the desired API version and content type. This is crucial for Heroku API interactions.
-H "Authorization: Bearer YOUR_HEROKU_AUTH_TOKEN" is the authentication header. The Bearer scheme indicates that YOUR_HEROKU_AUTH_TOKEN is an access token granting authorization. Ensure you replace the placeholder with your actual Auth Token.

For CLI-based operations, after running heroku login, the CLI handles the token management automatically. For instance, to deploy an application via Git:

# Assuming you have initialized a Git repository and added Heroku as a remote
git push heroku main

This Git push will authenticate using the token stored by the Heroku CLI, enabling the deployment without manual token intervention.

Security best practices

Adhering to security best practices is essential when managing Heroku authentication credentials:

Enable Multi-Factor Authentication (MFA): For all human users, MFA adds a critical layer of security by requiring a second verification factor beyond the password. This significantly reduces the risk of unauthorized access even if a password is compromised. Consult the Authy guide for enabling MFA on Heroku for a third-party perspective on the process.
Protect Auth Tokens (API Keys): Treat Auth Tokens with the same level of confidentiality as passwords. Never hardcode them directly into source code, commit them to version control, or expose them publicly. Instead, store them in environment variables (e.g., using heroku config:set for app-specific variables) or secure configuration management systems. Rotate Auth Tokens periodically, especially if there's any suspicion of compromise.
Use OAuth 2.0 for Third-Party Integrations: When integrating with external services or building custom tools that require limited access to your Heroku account, use OAuth 2.0. This grants specific, scoped permissions without sharing your primary account credentials, minimizing the blast radius if an integration is compromised. Always review the requested scopes carefully before authorizing an OAuth application.
Secure Your Development Environment: Ensure that your local development machine and CI/CD environments are secure. This includes using strong passwords, keeping software updated, and restricting access to sensitive files where Heroku credentials might be stored (e.g., ~/.netrc). Implement proper access controls for pipelines that interact with Heroku.
Regularly Review Access: Periodically audit who has access to your Heroku account and applications. Remove access for users who no longer require it and review active API keys and OAuth grants. Heroku provides tools within the Dashboard to manage collaborators and authorized applications.
Implement Principle of Least Privilege: Grant only the minimum necessary permissions to users, API keys, and OAuth applications. For team collaboration, use Heroku Teams or Heroku Enterprise to manage roles and permissions granularly, ensuring that each member or integration only has access to the resources and actions they need to perform their function.
Monitor for Suspicious Activity: Utilize Heroku's activity feed and integrate with logging and monitoring add-ons (e.g., Papertrail, Loggly) to track login attempts, deployments, and other significant actions. Set up alerts for unusual activity patterns that might indicate a security incident.

Heroku Authentication: Methods, Credentials, and Security (2026)

Authentication overview

Supported authentication methods

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by

Authentication overview

Supported authentication methods

Getting your credentials

Authenticated request example

Security best practices

Related

Frequently asked questions

Reviews

Discussion

Written by