In CI the HexSign CLI runs in machine mode. It uses the OAuth2 client_credentials grant, fetches a short-lived access token on each invocation, and never touches the OS keychain. You provision the credential once in the dashboard and store the secret in your pipeline's encrypted-secrets store.

Provision a service credential

1
Open Settings → CLI Tokens in the dashboard
Only Owners can create service credentials. Click "New CLI token", give it a descriptive name (e.g. "GitHub Actions — release"), and pick the scopes the pipeline needs.
2
Copy the client ID and secret
The dashboard shows the `client_secret` exactly once. Copy it immediately into your CI's secrets store — you can't read it again later.
3
Store both in your pipeline
Add `HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` as encrypted secrets (GitHub Actions secrets, GitLab CI variables, Bitrise secret env vars). Never commit them to your repo.

Set the env vars in CI

When both `HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` are present in the environment, the CLI automatically switches to machine mode. There's no flag to toggle.

yaml

# .github/workflows/release.yml
- name: Sync expiring items
  env:
    HEXSIGN_CLIENT_ID:     ${{ secrets.HEXSIGN_CLIENT_ID }}
    HEXSIGN_CLIENT_SECRET: ${{ secrets.HEXSIGN_CLIENT_SECRET }}
  run: hexsign certificates expiring -o json

How scopes work

hexsign-api/read: Required by every `GET` request — listing certificates and profiles, fetching summary, downloading existing material.
hexsign-api/write: Required for any mutation: create, update, regenerate, revoke, delete. Pipelines that only fetch artifacts don't need this.
Blocked routes: Service credentials can never call `/users`, `/subscriptions`, `/contact-form`, or `/service-credentials` — the API blocks those for machine tokens because they manage humans and billing.

Optional: explicit scopes

By default the CLI requests both `hexsign-api/read` and `hexsign-api/write` if the credential allows them. To restrict a single run to read-only — handy for jobs that should only fetch — set `HEXSIGN_CLIENT_SCOPES`.

bash

export HEXSIGN_CLIENT_SCOPES="hexsign-api/read"
hexsign certificates list -o json

Audit and revoke

Every successful machine-mode request updates the credential's `last_used_at` in the dashboard so you can spot stale or compromised tokens. Revocation is immediate from Settings → CLI Tokens → Revoke.

Provision a service credential

Open Settings → CLI Tokens in the dashboard

Only Owners can create service credentials. Click "New CLI token", give it a descriptive name (e.g. "GitHub Actions — release"), and pick the scopes the pipeline needs.

Copy the client ID and secret

The dashboard shows the `client_secret` exactly once. Copy it immediately into your CI's secrets store — you can't read it again later.

Store both in your pipeline

Add `HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` as encrypted secrets (GitHub Actions secrets, GitLab CI variables, Bitrise secret env vars). Never commit them to your repo.

Set the env vars in CI

When both `HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` are present in the environment, the CLI automatically switches to machine mode. There's no flag to toggle.

yaml

# .github/workflows/release.yml
- name: Sync expiring items
  env:
    HEXSIGN_CLIENT_ID:     ${{ secrets.HEXSIGN_CLIENT_ID }}
    HEXSIGN_CLIENT_SECRET: ${{ secrets.HEXSIGN_CLIENT_SECRET }}
  run: hexsign certificates expiring -o json

How scopes work

hexsign-api/read

Required by every `GET` request — listing certificates and profiles, fetching summary, downloading existing material.

hexsign-api/write

Required for any mutation: create, update, regenerate, revoke, delete. Pipelines that only fetch artifacts don't need this.

Blocked routes

Service credentials can never call `/users`, `/subscriptions`, `/contact-form`, or `/service-credentials` — the API blocks those for machine tokens because they manage humans and billing.

Optional: explicit scopes

bash

export HEXSIGN_CLIENT_SCOPES="hexsign-api/read"
hexsign certificates list -o json

Run the CLI in CI with machine credentials

Provision a service credential

Open Settings → CLI Tokens in the dashboard

Copy the client ID and secret

Store both in your pipeline

Set the env vars in CI

How scopes work

Optional: explicit scopes

Audit and revoke

Related articles

Sign in with hexsign login

Fetch signing material before xcodebuild

Troubleshoot the HexSign CLI

Take control of your Apple Developer assets.

Run the CLI in CI with machine credentials

Provision a service credential

Open Settings → CLI Tokens in the dashboard

Copy the client ID and secret

Store both in your pipeline

Set the env vars in CI

How scopes work

Optional: explicit scopes

Audit and revoke

Related articles

Sign in with hexsign login

Fetch signing material before xcodebuild

Troubleshoot the HexSign CLI

Take control of your Apple Developer assets.