Temporal CLI cloud apikey command reference
This page provides a reference for the temporal cloud apikey commands. The flags applicable to each subcommand are presented in a table within the heading for the subcommand. Refer to Global Flags for flags that you can use with every subcommand.
create-for-me
Create a new API key owned by the currently authenticated user. The token is printed once on creation and cannot be retrieved again.
Example:
cloud apikey create-for-me --display-name "My Key"
Use the following options to change the behavior of this command. You can also use any of the global flags that apply to all subcommands.
| Flag | Required | Description |
|---|---|---|
--api-key | No | string API key for authenticating with Temporal Cloud. Can be used instead of interactive login for automation and CI/CD pipelines. |
--async | No | bool Return immediately after initiating the operation instead of waiting for completion. Use the returned operation ID to check status later. |
--async-operation-id | No | string Custom identifier for tracking this async operation. If not provided, a unique ID is generated automatically. |
--description | No | string An optional description for the API key. |
--display-name | Yes | string A human-readable display name for the API key. |
--expiry-duration | No | duration Expiry duration relative to now (e.g. 30d, 24h, 90m). Supports days (d), hours (h), minutes (m), and seconds (s). Mutually exclusive with --expiry-time. |
--expiry-time | No | timestamp Expiry time for the API key in RFC3339 format (e.g. 2025-12-31T00:00:00Z). Mutually exclusive with --expiry-duration. |
--idempotent | No | bool Succeed silently if the resource already exists or matches the specification. Without this flag, the command errors when no changes are needed. |
--poll-interval | No | duration Time to wait between status checks when waiting for operation completion. Cannot be greater than 10 minutes. Supports minutes (m) and seconds (s). Default is 1s. |
--server | No | string Override the Temporal Cloud API server address. Used for connecting to non-production environments. |
create-for-service-account
Create a new API key owned by the specified service account. The token is printed once on creation and cannot be retrieved again.
Example:
cloud apikey create-for-service-account --service-account-id my-sa-id --display-name "My Key"
Use the following options to change the behavior of this command. You can also use any of the global flags that apply to all subcommands.
| Flag | Required | Description |
|---|---|---|
--api-key | No | string API key for authenticating with Temporal Cloud. Can be used instead of interactive login for automation and CI/CD pipelines. |
--async | No | bool Return immediately after initiating the operation instead of waiting for completion. Use the returned operation ID to check status later. |
--async-operation-id | No | string Custom identifier for tracking this async operation. If not provided, a unique ID is generated automatically. |
--description | No | string An optional description for the API key. |
--display-name | Yes | string A human-readable display name for the API key. |
--expiry-duration | No | duration Expiry duration relative to now (e.g. 30d, 24h, 90m). Supports days (d), hours (h), minutes (m), and seconds (s). Mutually exclusive with --expiry-time. |
--expiry-time | No | timestamp Expiry time for the API key in RFC3339 format (e.g. 2025-12-31T00:00:00Z). Mutually exclusive with --expiry-duration. |
--idempotent | No | bool Succeed silently if the resource already exists or matches the specification. Without this flag, the command errors when no changes are needed. |
--poll-interval | No | duration Time to wait between status checks when waiting for operation completion. Cannot be greater than 10 minutes. Supports minutes (m) and seconds (s). Default is 1s. |
--server | No | string Override the Temporal Cloud API server address. Used for connecting to non-production environments. |
--service-account-id | Yes | string The ID of the service account to create the API key for. |
delete
Delete a Temporal Cloud API key. This action is irreversible.
Example:
cloud apikey delete --key-id my-key-id
Use the following options to change the behavior of this command. You can also use any of the global flags that apply to all subcommands.
| Flag | Required | Description |
|---|---|---|
--api-key | No | string API key for authenticating with Temporal Cloud. Can be used instead of interactive login for automation and CI/CD pipelines. |
--async | No | bool Return immediately after initiating the operation instead of waiting for completion. Use the returned operation ID to check status later. |
--async-operation-id | No | string Custom identifier for tracking this async operation. If not provided, a unique ID is generated automatically. |
--idempotent | No | bool Succeed silently if the resource already exists or matches the specification. Without this flag, the command errors when no changes are needed. |
--key-id | Yes | string The ID of the API key to delete. |
--poll-interval | No | duration Time to wait between status checks when waiting for operation completion. Cannot be greater than 10 minutes. Supports minutes (m) and seconds (s). Default is 1s. |
--resource-version, -v | No | string Resource version for optimistic concurrency control. If not provided, the current version is fetched automatically. |
--server | No | string Override the Temporal Cloud API server address. Used for connecting to non-production environments. |
disable
Disable a Temporal Cloud API key. Disabled keys cannot be used for authentication.
Example:
cloud apikey disable --key-id my-key-id
Use the following options to change the behavior of this command. You can also use any of the global flags that apply to all subcommands.
| Flag | Required | Description |
|---|---|---|
--api-key | No | string API key for authenticating with Temporal Cloud. Can be used instead of interactive login for automation and CI/CD pipelines. |
--async | No | bool Return immediately after initiating the operation instead of waiting for completion. Use the returned operation ID to check status later. |
--async-operation-id | No | string Custom identifier for tracking this async operation. If not provided, a unique ID is generated automatically. |
--idempotent | No | bool Succeed silently if the resource already exists or matches the specification. Without this flag, the command errors when no changes are needed. |
--key-id | Yes | string The ID of the API key to disable. |
--poll-interval | No | duration Time to wait between status checks when waiting for operation completion. Cannot be greater than 10 minutes. Supports minutes (m) and seconds (s). Default is 1s. |
--resource-version, -v | No | string Resource version for optimistic concurrency control. If not provided, the current version is fetched automatically. |
--server | No | string Override the Temporal Cloud API server address. Used for connecting to non-production environments. |
edit
Open an API key configuration in your default editor for interactive modification. After saving and closing the editor, the changes are applied to Temporal Cloud.
The editor is determined by the EDITOR environment variable, falling back to 'vi' if not set.
Example:
cloud apikey edit --key-id my-key-id
Use the following options to change the behavior of this command. You can also use any of the global flags that apply to all subcommands.
| Flag | Required | Description |
|---|---|---|
--api-key | No | string API key for authenticating with Temporal Cloud. Can be used instead of interactive login for automation and CI/CD pipelines. |
--async | No | bool Return immediately after initiating the operation instead of waiting for completion. Use the returned operation ID to check status later. |
--async-operation-id | No | string Custom identifier for tracking this async operation. If not provided, a unique ID is generated automatically. |
--idempotent | No | bool Succeed silently if the resource already exists or matches the specification. Without this flag, the command errors when no changes are needed. |
--key-id | Yes | string The ID of the API key to edit. |
--poll-interval | No | duration Time to wait between status checks when waiting for operation completion. Cannot be greater than 10 minutes. Supports minutes (m) and seconds (s). Default is 1s. |
--resource-version, -v | No | string Resource version for optimistic concurrency control. If not provided, the current version is fetched automatically. |
--server | No | string Override the Temporal Cloud API server address. Used for connecting to non-production environments. |
--verbose-diff | No | bool Show detailed differences between the current and desired namespace configurations when changes are detected. |
enable
Enable a previously disabled Temporal Cloud API key.
Example:
cloud apikey enable --key-id my-key-id
Use the following options to change the behavior of this command. You can also use any of the global flags that apply to all subcommands.
| Flag | Required | Description |
|---|---|---|
--api-key | No | string API key for authenticating with Temporal Cloud. Can be used instead of interactive login for automation and CI/CD pipelines. |
--async | No | bool Return immediately after initiating the operation instead of waiting for completion. Use the returned operation ID to check status later. |
--async-operation-id | No | string Custom identifier for tracking this async operation. If not provided, a unique ID is generated automatically. |
--idempotent | No | bool Succeed silently if the resource already exists or matches the specification. Without this flag, the command errors when no changes are needed. |
--key-id | Yes | string The ID of the API key to enable. |
--poll-interval | No | duration Time to wait between status checks when waiting for operation completion. Cannot be greater than 10 minutes. Supports minutes (m) and seconds (s). Default is 1s. |
--resource-version, -v | No | string Resource version for optimistic concurrency control. If not provided, the current version is fetched automatically. |
--server | No | string Override the Temporal Cloud API server address. Used for connecting to non-production environments. |
get
Retrieve the configuration and status of a Temporal Cloud API key.
Example:
cloud apikey get --key-id my-key-id
Use the following options to change the behavior of this command. You can also use any of the global flags that apply to all subcommands.
| Flag | Required | Description |
|---|---|---|
--api-key | No | string API key for authenticating with Temporal Cloud. Can be used instead of interactive login for automation and CI/CD pipelines. |
--key-id | Yes | string The ID of the API key to retrieve. |
--server | No | string Override the Temporal Cloud API server address. Used for connecting to non-production environments. |
list
List API keys. Optionally filter by user ID, user email, or service account ID. At most one filter may be specified.
Example:
cloud apikey list
cloud apikey list --user-id my-user-id
cloud apikey list --service-account-id my-sa-id
Use the following options to change the behavior of this command. You can also use any of the global flags that apply to all subcommands.
| Flag | Required | Description |
|---|---|---|
--api-key | No | string API key for authenticating with Temporal Cloud. Can be used instead of interactive login for automation and CI/CD pipelines. |
--page-size | No | int Number of API keys to return per page. |
--page-token | No | string Token for retrieving the next page of results. |
--server | No | string Override the Temporal Cloud API server address. Used for connecting to non-production environments. |
--service-account-id | No | string Filter API keys by service account ID. Mutually exclusive with --user-id and --user-email. |
--user-email | No | string Filter API keys by user email. Mutually exclusive with --user-id and --service-account-id. |
--user-id | No | string Filter API keys by user ID. Mutually exclusive with --user-email and --service-account-id. |
update
Update an API key's display name, description, or disabled status. Only flags that are explicitly provided are changed.
Example:
cloud apikey update --key-id my-key-id --display-name "New Name"
cloud apikey update --key-id my-key-id --disabled=true
Use the following options to change the behavior of this command. You can also use any of the global flags that apply to all subcommands.
| Flag | Required | Description |
|---|---|---|
--api-key | No | string API key for authenticating with Temporal Cloud. Can be used instead of interactive login for automation and CI/CD pipelines. |
--async | No | bool Return immediately after initiating the operation instead of waiting for completion. Use the returned operation ID to check status later. |
--async-operation-id | No | string Custom identifier for tracking this async operation. If not provided, a unique ID is generated automatically. |
--description | No | string New description for the API key. |
--disabled | No | bool Set to true to disable the API key, or false to enable it. |
--display-name | No | string New display name for the API key. |
--idempotent | No | bool Succeed silently if the resource already exists or matches the specification. Without this flag, the command errors when no changes are needed. |
--key-id | Yes | string The ID of the API key to update. |
--poll-interval | No | duration Time to wait between status checks when waiting for operation completion. Cannot be greater than 10 minutes. Supports minutes (m) and seconds (s). Default is 1s. |
--resource-version, -v | No | string Resource version for optimistic concurrency control. If not provided, the current version is fetched automatically. |
--server | No | string Override the Temporal Cloud API server address. Used for connecting to non-production environments. |
Global Flags
The following options can be used with any command.
| Flag | Required | Description | Default |
|---|---|---|---|
--api-key | No | string API key for authenticating with Temporal Cloud. Can be used instead of interactive login for automation and CI/CD pipelines. | |
--auto-confirm | No | bool Automatically confirm prompts and actions that require user confirmation. Useful for scripting and automation. | |
--config-dir | No | string Directory path where CLI configuration files are stored, including authentication tokens and settings. | |
--disable-pop-up | No | bool Prevent the CLI from opening a browser window during authentication. Useful for headless environments or when using alternative auth methods. | |
--server | No | string Override the Temporal Cloud API server address. Used for connecting to non-production environments. | saas-api.tmprl-test.cloud:443 |