Poliage

API Keys & Security

Your CLI connects to the platform using API Keys. Keep these secure to prevent unauthorized changes.

Managing API Keys

Location

Found in Project Settings > General.

Usage

Set the key as an environment variable:

export POLIAGE_API_KEY=your-api-key

Or in your .env file:

POLIAGE_API_KEY=your-api-key

CI/CD Secrets

Add to your repository secrets:

PlatformSettings Location
GitHubSettings > Secrets and variables > Actions
GitLabSettings > CI/CD > Variables
CircleCIProject Settings > Environment Variables

Rotating Keys

If a key is compromised:

  1. Go to Project Settings > General
  2. Click Rotate Key
  3. Confirm the rotation
  4. Update your CI/CD secrets

Rotating a key invalidates the old one immediately. Update all environments using this key before rotating.

GitHub App Permissions

The Poliage GitHub App requests:

PermissionTypePurpose
MetadataReadRepository information
Commit statusesWriteSet PR check status
Pull requestsReadIdentify PRs

What We Don't Access

  • ❌ Source code files
  • ❌ Repository contents
  • ❌ Issues or comments
  • ❌ Actions or workflows

We only process the visual assets you explicitly publish.

Security Best Practices

  1. Never commit API keys to version control
  2. Use environment variables or secret managers
  3. Rotate keys periodically (every 90 days recommended)
  4. Limit key access to only necessary team members
  5. Monitor usage in the dashboard activity log

Enterprise Security

For organizations with strict requirements:

  • SAML 2.0 SSO for centralized authentication
  • BYOS for data residency compliance
  • Audit logs for all API activity
  • IP allowlisting (coming soon)