Skip Navigation
Show nav
Heroku Dev Center Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
Heroku Dev Center Dev Center
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
    • .NET
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log in or Sign up
View categories

Categories

  • Heroku Architecture
    • Compute (Dynos)
      • Dyno Management
      • Dyno Concepts
      • Dyno Behavior
      • Dyno Reference
      • Dyno Troubleshooting
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Buildpacks
    • Platform Principles
  • Developer Tools
    • AI Tools
    • Command Line
    • Heroku VS Code Extension
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery & Integration (Heroku Flow)
    • Continuous Integration
  • Language Support
    • Node.js
      • Node.js Behavior in Heroku
      • Troubleshooting Node.js Apps
      • Working with Node.js
    • Ruby
      • Rails Support
        • Working with Rails
      • Working with Bundler
      • Working with Ruby
      • Ruby Behavior in Heroku
      • Troubleshooting Ruby Apps
    • Python
      • Working with Python
      • Background Jobs in Python
      • Python Behavior in Heroku
      • Working with Django
    • Java
      • Java Behavior in Heroku
      • Working with Java
      • Working with Maven
      • Working with Spring Boot
      • Troubleshooting Java Apps
    • PHP
      • Working with PHP
      • PHP Behavior in Heroku
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
    • .NET
      • Working with .NET
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
      • Migrating to Heroku Postgres
      • Heroku Postgres Advanced (Limited GA)
    • Heroku Key-Value Store
    • Apache Kafka on Heroku
    • Other Data Stores
  • AI
    • Inference Essentials
    • Inference API
    • Inference Quick Start Guides
    • AI Models
    • Tool Use
    • AI Integrations
    • Vector Database
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
      • Single Sign-on (SSO)
    • Private Spaces
      • Infrastructure Networking
    • Compliance
  • Heroku Enterprise
    • Enterprise Accounts
    • Enterprise Teams
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
    • Heroku AppLink
      • Working with Heroku AppLink
      • Heroku AppLink Reference
      • Getting Started with Heroku AppLink
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
    • Other Salesforce Integrations
  • Developer Tools
  • Command Line
  • Heroku CLI Authentication

Heroku CLI Authentication

English — 日本語に切り替える

Table of Contents [expand]

  • API Token Storage
  • Retrieving the API Token
  • Git Credential Helper
  • Netrc File Format

Last updated July 02, 2026

Authentication on Heroku uses one of these methods, depending on the situation:

  • Web-based authentication
  • Email and password
  • API token
  • SSH key

The heroku command uses the email address and password to obtain an API token. All other Heroku API requests use this token for authentication. A user can regenerate the token at will in the Heroku web interface. Regenerating an API token invalidates the current token and creates a new one. If a user changes their password, their API token regenerates.

Heroku uses the SSH key for Git push authentication when using SSH Git transport. You can use heroku keys to manage your SSH keys on Heroku.

API Token Storage

The Heroku command-line tool stores API tokens in your machine’s system keychain by default. If a supported keychain is unavailable, the Heroku CLI stores API tokens in the standard Unix file ~/.netrc ($HOME\_netrc on Windows).

The CLI supports Keychain Access on macOS, Secret Service on GNOME-based Linux distributions, and Windows Credential Manager. Our credential manager tool automatically determines which supported keychains are available and stores your credentials in secure, OS-native storage. If a supported keychain isn’t available, the credential manager falls back to storing your tokens in your .netrc file.

The netrc format is well established and well supported by various network tools on unix. With Heroku credentials stored in this file, other tools such as curl -n can access the Heroku API with little or no extra work. When using the default HTTP transport, Git uses cURL and cURL uses the API key stored in .netrc to authenticate with the Heroku HTTP Git service.

To continue to store your token in .netrc, you can set the HEROKU_NETRC_WRITE environment variable to true to override the use of the system keychain by default.

If you set HEROKU_NETRC_WRITE=true and then unset it to enable the credential manager to use your system keychain or if you never set the environment variable, your credentials remain in your .netrc file. The credential manager doesn’t automatically remove them, though your token expires after the designated time period. You can remove your credentials by running HEROKU_NETRC_WRITE=true heroku logout or manually editing the .netrc file to remove credentials that you don’t need.

Setting the HEROKU_API_KEY environment variable on your machine overrides any token saved in your system keychain or set in the .netrc file.

Usage Examples

System Keychain

Running heroku login or any other heroku command that requires authentication saves or updates your token in your system keychain. After logging in, you can verify that the CLI stored your token correctly by opening your keychain app and searching for the heroku-cli entry.

Netrc

Running heroku login, or any other heroku command that requires authentication, creates or updates your .netrc file.

$ heroku login
heroku: Press any key to open up the browser to login or q to exit
 ›   Warning: If browser does not open, visit
 ›   https://cli-auth.heroku.com/auth/browser/***
heroku: Waiting for login...
Logging in... done
Logged in as me@example.com
$ cat ~/.netrc
machine api.heroku.com
  login me@example.com
  password c4cd94da15ea0544802c2cfd5ec4ead324327430
machine git.heroku.com
  login me@example.com
  password c4cd94da15ea0544802c2cfd5ec4ead324327430

Retrieving the API Token

You can display the token via the CLI:

$ heroku auth:token
c4cd94da15ea0544802c2cfd5ec4ead324327430

Git Credential Helper

The CLI automatically configures a Git credential helper anytime you:

  • Log in with heroku login
  • Create a Heroku app with heroku create
  • Set or update the Git remote on an existing app repository with heroku git:remote

This credential helper automatically retrieves your Heroku token from your system keychain or, if a supported keychain isn’t available, from your .netrc file.

Netrc File Format

The file contains a list of free-form records and comments. Comments start with a # (hash) symbol and continue to the end of the line. Each record is of the form:

machine api.heroku.com
  login me@example.com
  password ABC123

The password field is an OAuth token. Using the account’s password is invalid and doesn’t work.

Feedback

Log in to submit feedback.

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure
  • .NET

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing
  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Github
  • LinkedIn
  • © 2026 Salesforce, Inc. All rights reserved. Various trademarks held by their respective owners. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States
  • heroku.com
  • Legal
  • Terms of Service
  • Privacy Information
  • Responsible Disclosure
  • Trust
  • Contact
  • Cookie Preferences
  • Your Privacy Choices