Org Scoped Tokens

TL;DR we’re introducing a new type of deploy tokens that are limited to a specific organization. We’ve also added commands to list and revoke your deploy tokens.

What this is for

The tokens fly auth token gives you are terrifying and it’s not fun to use them. Deploy tokens are cool, because they help make access tokens less scary by scoping the token to an app. That said, we understand there are some in-between cases where it would be useful to have a token that isn’t as powerful as a personal access token but not locked to a specific app. Lots of folks want to automate a whole org but only that org. Here are some use cases we’ve heard from users:

  • CI tokens that are empowered to create/manipulate different test apps within an organization
  • CI Tokens that only have access to one staging/production/testing “environment” orgs
  • A token for the machine API that can be used to orchestrate machines for running user workloads within a specific org

To that end we are adding organization scoped tokens, as well as tooling to help you manage and revoke them.


$ flyctl tokens create org -h
Create an API token limited to managing a single org and its resources. Tokens are valid for 20 years by default. We recommend using a shorter expiry if practical.

  flyctl tokens create org [flags]

  -x, --expiry duration   The duration that the token will be valid (default 175200h0m0s)
  -h, --help              help for org
  -j, --json              JSON output

Global Flags:
  -t, --access-token string   Fly API Access Token
      --verbose               Verbose output

$ flyctl tokens list -h      
List deploy tokens

  flyctl tokens list [flags]

  -a, --app string     Application name
  -h, --help           help for list
  -j, --json           JSON output
  -s, --scope string   either 'app' or 'org' (default "app")

Global Flags:
  -t, --access-token string   Fly API Access Token
      --verbose               Verbose output

$ flyctl tokens revoke -h
used like: 'fly tokens revoke [ids]'

  flyctl tokens revoke [flags]

  -h, --help   help for revoke

Global Flags:
  -t, --access-token string   Fly API Access Token
      --verbose               Verbose output


This is available as of flyctl v0.1.23


@DAlperin can we get the --name option for org tokens too?

EDIT: also are they supported with Terraform yet? Tried to use it with a Coder template and I’m getting:

  Error: Could not resolve organization
  on line 14, in provider "fly":
    14: provider "fly" {
  input:3: organization You must be authenticated to view this.

Oh good catch. I’ll add that.

To be honest I have not tested it with terraform. There isn’t a reason I could think of it wouldn’t… But also computers are weird

Cc @zxaos

I just tried an org-scoped token with the terraform provider and it seemed to work correctly. It’s possible I’m doing something differently.

My quick test was just:

terraform {
  required_providers {
    fly = {
      source = "fly-apps/fly"

resource "fly_app" "app" {
  name = "zxaos-token-testapp"
  org = "<the-org-slug-associated-with-the-token>"

and then passing the token via the FLY_API_TOKEN environment variable.

If that still doesn’t work, we should probably take this over to the provider issue tracker.

@charsleysa I can also confirm that we’re also using an org token for both the Terraform provider and GraphQL API. Given the length of the token, is there a chance that a line break or whitespace might have snuck in when you transferred it?

I get error when trying to deploy an app with my org token

This deployment will:
 * create 2 "app" machines

No machines in group app, launching a new machine
Error: error creating a new machine: failed to launch VM: Not authorized to access this dischargeroottoken