API Keys
Publisher API keys enable programmatic package publishing from CI/CD pipelines — automating the package upload and submission process without requiring a browser login.
What API Keys Are Used For
Publisher API keys allow automated tooling to interact with the MarketHub publisher API on behalf of a publisher organization. The primary use case is CI/CD pipeline integration — automatically publishing new package versions when a build succeeds.
| Use Case | Example |
|---|---|
| Automated version publishing | GitHub Actions workflow that builds, exports via InstallHub CLI, and publishes to MarketHub on merge to main |
| Package metadata updates | Script that updates the package description from a README file in the repository |
| Screenshot uploads | Automated screenshot capture pipeline that updates package screenshots on each release |
API Key Permissions
Publisher API keys are scoped exclusively to publish operations for the publisher's own packages. They cannot access other publishers' data, admin functions, or user data.
| Operation | Allowed via API Key? |
|---|---|
| Upload new package version | Yes |
| Submit package for review | Yes |
| Update package description / tags / screenshots | Yes |
| Withdraw a submission | Yes |
| Read package analytics | Yes (own packages only) |
| Access admin functions | No |
| Access earnings / payout | No — requires session authentication |
| Delete a package | No — requires session authentication |
Creating an API Key
| Field | Description |
|---|---|
| Key Name | Descriptive label — e.g., "GitHub Actions Production", "Jenkins Pipeline" |
| Expiry | 90 days / 1 year / Never — choose based on security policy |
| IP Whitelist (optional) | Restrict key to specific IP ranges — recommended for production CI/CD |
After creating a key, the full key value is shown once — copy it immediately and store it in your secret manager. The key value cannot be retrieved again after the creation dialog is closed.
Never commit API keys to source code repositories. Use your CI/CD system's secret store (GitHub Actions Secrets, Jenkins Credentials, Azure Key Vault, etc.) to store the key value and inject it as an environment variable at build time.
Revoking an API Key
Revoke a key immediately if it is compromised or no longer needed. Revocation is instant — the key is invalidated within 60 seconds and any in-flight requests using it will fail. Revoked keys appear in the key list as "Revoked" for audit purposes and cannot be re-enabled.