Authentication

Authenticate with the Musher platform using API keys. API keys authorize requests from CLIs, SDKs, and direct API calls.

How API Key Authentication Works

Every API request must include your API key as a Bearer token in the Authorization header:

http

Authorization: Bearer mush_your_api_key_here

API keys are scoped to your organization. Create and manage keys from the Settings > API Keys page in the Musher Console.

Environment Variable

In non-interactive environments (CI runners, Docker containers, serverless functions), set the MUSHER_API_KEY environment variable instead of using musher auth login. All Musher tools read it automatically.

bash

# Add to your shell profile (~/.bashrc, ~/.zshrc, etc.)
export MUSHER_API_KEY=mush_your_api_key_here

Reload your shell or run source ~/.bashrc to apply.

Verify Your Key

Confirm your API key is working with a quick cURL request:

bash

curl -H "Authorization: Bearer $MUSHER_API_KEY" \
  https://api.musher.dev/agent/v1/runner/me

A successful response returns your credential and organization details.

CLI Authentication

Install the musher CLI and log in interactively:

Install

bash

curl -fsSL https://get.musher.dev | sh

Log in

bash

musher auth login

Paste your API key when prompted. The CLI stores it in your OS keyring — your key never appears in shell history.

Verify

bash

musher auth status

SDK Authentication

Both SDKs use the same credential resolution chain as the CLI. If you have already run musher auth login or set MUSHER_API_KEY, no additional configuration is needed.

bash

npm install @musher-dev/musher-sdk

The SDK authenticates automatically. See the TypeScript SDK documentation for full usage details.

bash

pip install musher-sdk

The SDK authenticates automatically. See the Python SDK documentation for full usage details.

CI/CD Integration

Store your API key as a secret in your CI/CD platform and expose it as the MUSHER_API_KEY environment variable.

Add MUSHER_API_KEY as a repository secret in Settings > Secrets and variables > Actions, then reference it in your workflow:

yaml

steps:
  - name: Install bundles
    env:
      MUSHER_API_KEY: ${{ secrets.MUSHER_API_KEY }}
    run: musher install acme/code-review

Set MUSHER_API_KEY as a secret environment variable in your CI platform. All Musher tools will pick it up automatically.

bash

# Example: set in your CI config
export MUSHER_API_KEY=$YOUR_CI_SECRET_VARIABLE
musher install acme/code-review

Key Management

Rotation

To rotate a key, create a new API key in the Console, update your environment variables and CI/CD secrets, then revoke the old key. There is no downtime — both keys work until you revoke the old one.

Revocation

Revoke compromised or unused keys immediately from Settings > API Keys in the Console. Revoked keys stop working instantly.

Scopes

API keys are scoped to your organization. A key grants access to all resources within that organization. Use separate keys for different environments (development, staging, production) to limit blast radius.