Hexr Cloud API keys authenticate the CLI and any direct API requests you make against your tenant. Keys follow the format hxr_live_<64 hex characters> and carry a permission scope that limits what the bearer can do. This page covers how to create and use keys, what each permission level allows, and how to store keys safely.
Generating a key
Navigate to API Keys
Click API Keys in the sidebar.
Generate a new key
Click Generate New Key and select a permission level.
Copy your key
Copy the key immediately — it is shown only once and cannot be retrieved again.
Using your key
CLI authentication
hexr login --key hxr_live_0f0ea94b...
API authentication
curl -H "Authorization: Bearer hxr_live_0f0ea94b..." \
https://api.hexr.cloud/api/v1/tenants
Key permissions
| Permission | What it allows |
|---|
| Admin | Full access: manage tenants, users, keys, and deploy agents |
| Deploy | Build, push, and deploy agents. Cannot manage users or keys |
| Read-only | View agents, metrics, and logs. Cannot modify anything |
Use the minimum permission level your use case requires. CI/CD pipelines typically need Deploy; monitoring integrations only need Read-only.
Storing keys securely
Never commit API keys to source control. Rotate keys regularly, and revoke keys immediately when team members leave.
# macOS Keychain
security add-generic-password -s "hexr-api-key" -a "hexr" -w "hxr_live_..."
# Environment variable (development only)
export HEXR_API_KEY="hxr_live_..."