chore(auth): Remove API key authentication

Resolves #2873
Resolves [CLI-199](https://linear.app/getsentry/issue/CLI-199/remove-api-key-authentication)

Author: szokeasaurusrex

CHANGELOG.md

@@ -8,11 +8,16 @@
 
 ### Breaking changes
 
+- Removed support for the legacy API key authentication method ([#XXXX](https://github.com/getsentry/sentry-cli/pull/XXXX)). Sentry CLI now only supports authenticating with Auth Tokens. If you are using API key authentication via any of the following methods, you need to generate and use an [Auth Token](https://docs.sentry.io/account/auth-tokens/), instead:
+  - `--api-key` CLI flag
+  - `SENTRY_API_KEY` environment variable
+  - `api_key` configuration file field
+  - `apiKey` option in the JavaScript API
 - Removed the `upload-proguard` subcommand's `--app-id`, `--version`, and `--version-code` arguments ([#2876](https://github.com/getsentry/sentry-cli/pull/2876)). Users using these arguments should stop using them, as they are unnecessary. The information passed to these arguments is no longer visible in Sentry.
 
 ### Deprecations
 
-- Deprecated API key authentication (#2934)[https://github.com/getsentry/sentry-cli/pull/2934]. Users who are still using API keys to authenticate Sentry CLI should generate and use an [Auth Token](https://docs.sentry.io/account/auth-tokens/) instead. 
+- Deprecated API key authentication (#2934)[https://github.com/getsentry/sentry-cli/pull/2934]. Users who are still using API keys to authenticate Sentry CLI should generate and use an [Auth Token](https://docs.sentry.io/account/auth-tokens/) instead.
 
 ### Improvements
 

js/helper.js

@@ -302,9 +302,6 @@ async function execute(args, live, silent, configFile, config = {}) {
   if (config.authToken) {
     env.SENTRY_AUTH_TOKEN = config.authToken;
   }
-  if (config.apiKey) {
-    env.SENTRY_API_KEY = config.apiKey;
-  }
   if (config.dsn) {
     env.SENTRY_DSN = config.dsn;
   }

js/index.d.ts

@@ -9,15 +9,10 @@ declare module '@sentry/cli' {
      */
     url?: string;
     /**
-     * Authentication token for API, interchangeable with `apiKey`.
+     * Authentication token for requests to Sentry.
      * This value will update `SENTRY_AUTH_TOKEN` env variable.
      */
     authToken?: string;
-    /**
-     * Authentication token for API, interchangeable with `authToken`.
-     * This value will update `SENTRY_API_KEY` env variable.
-     */
-    apiKey?: string;
     /**
      * Sentry DSN.
      * This value will update `SENTRY_DSN` env variable.

src/api/mod.rs

@@ -1370,14 +1370,6 @@ impl<'a> AuthenticatedApi<'a> {
                     region_url.ok().map(|url| url.into())
                 }
             },
-            #[expect(deprecated, reason = "Auth key is deprecated.")]
-            Auth::Key(_) => {
-                log::warn!(
-                    "Auth key is not supported for region-specific API. Falling back to default region."
-                );
-
-                None
-            }
         };
 
         RegionSpecificApi {
@@ -1731,12 +1723,6 @@ impl ApiRequest {
     pub fn with_auth(mut self, auth: &Auth) -> ApiResult<Self> {
         self.is_authenticated = true;
         match *auth {
-            #[expect(deprecated, reason = "API key is deprecated.")]
-            Auth::Key(ref key) => {
-                self.handle.username(key)?;
-                debug!("using deprecated key based authentication");
-                Ok(self)
-            }
             Auth::Token(ref token) => {
                 debug!("using token authentication");
                 self.with_header(

src/commands/info.rs

@@ -59,8 +59,6 @@ fn describe_auth(auth: Option<&Auth>) -> &str {
     match auth {
         None => "Unauthorized",
         Some(&Auth::Token(_)) => "Auth Token",
-        #[expect(deprecated, reason = "API key is deprecated.")]
-        Some(&Auth::Key(_)) => "API Key (deprecated)",
     }
 }
 
@@ -75,8 +73,6 @@ fn get_config_status_json() -> Result<()> {
 
     rv.auth.auth_type = config.get_auth().map(|val| match val {
         Auth::Token(_) => "token".into(),
-        #[expect(deprecated, reason = "API key is deprecated.")]
-        Auth::Key(_) => "api_key".into(),
     });
     rv.auth.successful =
         config.get_auth().is_some() && Api::current().authenticated()?.get_auth_info().is_ok();

src/commands/login.rs

@@ -140,8 +140,6 @@ pub fn execute(matches: &ArgMatches) -> Result<()> {
 fn get_org_from_auth(auth: &Auth) -> Option<&str> {
     match auth {
         Auth::Token(token) => get_org_from_token(token),
-        #[expect(deprecated, reason = "API key is deprecated.")]
-        Auth::Key(_) => None,
     }
 }
 

src/commands/mod.rs

@@ -137,18 +137,6 @@ fn preexecute_hooks() -> Result<bool> {
 }
 
 fn configure_args(config: &mut Config, matches: &ArgMatches) {
-    if let Some(api_key) = matches.get_one::<String>("api_key") {
-        log::warn!(
-            "[DEPRECTATION NOTICE] API key authentication and the --api-key argument are \
-            deprecated. \
-            Please generate an auth token, and use the --auth-token argument instead."
-        );
-
-        #[expect(deprecated, reason = "Auth key is deprecated.")]
-        let auth = Auth::Key(api_key.to_owned());
-        config.set_auth(auth);
-    }
-
     if let Some(auth_token) = matches.get_one::<AuthToken>("auth_token") {
         config.set_auth(Auth::Token(auth_token.to_owned()));
     }
@@ -192,13 +180,6 @@ fn app() -> Command {
                 .value_parser(auth_token_parser)
                 .help("Use the given Sentry auth token."),
         )
-        .arg(
-            Arg::new("api_key")
-                .value_name("API_KEY")
-                .long("api-key")
-                .hide(true)
-                .help("[DEPRECATED] Use the given Sentry API key."),
-        )
         .arg(
             Arg::new("log_level")
                 .value_name("LOG_LEVEL")

src/config.rs

@@ -36,8 +36,6 @@ const MAX_RETRIES_INI_KEY: &str = "max_retries";
 /// Represents the auth information
 #[derive(Debug, Clone)]
 pub enum Auth {
-    #[deprecated(note = "Auth Key authentication is deprecated.")]
-    Key(String),
     Token(AuthToken),
 }
 
@@ -181,7 +179,6 @@ impl Config {
     pub fn set_auth(&mut self, auth: Auth) {
         self.cached_auth = Some(auth);
 
-        self.ini.delete_from(Some("auth"), "api_key");
         self.ini.delete_from(Some("auth"), "token");
         match self.cached_auth {
             Some(Auth::Token(ref val)) => {
@@ -197,10 +194,6 @@ impl Config {
                     val.raw().expose_secret().clone(),
                 );
             }
-            #[expect(deprecated, reason = "API key is deprecated.")]
-            Some(Auth::Key(ref val)) => {
-                self.ini.set_to(Some("auth"), "api_key".into(), val.clone());
-            }
             None => {}
         }
     }
@@ -739,24 +732,8 @@ impl Clone for Config {
 fn get_default_auth(ini: &Ini) -> Option<Auth> {
     if let Ok(val) = env::var("SENTRY_AUTH_TOKEN") {
         Some(Auth::Token(val.into()))
-    } else if let Ok(val) = env::var("SENTRY_API_KEY") {
-        log::warn!(
-            "[DEPRECTATION NOTICE] API key authentication and the `SENTRY_API_KEY` environment \
-            variable are deprecated. \
-            Please generate and set an auth token using `SENTRY_AUTH_TOKEN` instead."
-        );
-        #[expect(deprecated, reason = "API key is deprecated.")]
-        Some(Auth::Key(val))
     } else if let Some(val) = ini.get_from(Some("auth"), "token") {
         Some(Auth::Token(val.into()))
-    } else if let Some(val) = ini.get_from(Some("auth"), "api_key") {
-        log::warn!(
-            "[DEPRECTATION NOTICE] API key authentication and the `api_key` field in the \
-            Sentry CLI config file are deprecated. \
-            Please generate and set an auth token instead."
-        );
-        #[expect(deprecated, reason = "API key is deprecated.")]
-        Some(Auth::Key(val.to_owned()))
     } else {
         None
     }