getsentry · szokeasaurusrex · Nov 11, 2025
@@ -12,6 +12,11 @@ we should rename this section to "Unreleased" -->
 
 ### Breaking Changes
 
+- Removed support for the legacy API key authentication method ([#2935](https://github.com/getsentry/sentry-cli/pull/2935)). Sentry CLI now only supports authenticating with Auth Tokens. If you are using API key authentication via any of the following methods, you need to generate and use an [Auth Token](https://docs.sentry.io/account/auth-tokens/), instead:
+  - `--api-key` CLI flag
+  - `SENTRY_API_KEY` environment variable
+  - `api_key` configuration file field
+  - `apiKey` option in the JavaScript API
 - Removed the `upload-proguard` subcommand's `--app-id`, `--version`, and `--version-code` arguments ([#2876](https://github.com/getsentry/sentry-cli/pull/2876)). Users using these arguments should stop using them, as they are unnecessary. The information passed to these arguments is no longer visible in Sentry.
 
 ### Improvements

@@ -302,9 +302,6 @@ async function execute(args, live, silent, configFile, config = {}) {
   if (config.authToken) {
     env.SENTRY_AUTH_TOKEN = config.authToken;
   }
-  if (config.apiKey) {
-    env.SENTRY_API_KEY = config.apiKey;
-  }
   if (config.dsn) {
     env.SENTRY_DSN = config.dsn;
   }

@@ -16,13 +16,6 @@ export interface SentryCliOptions {
    * This value will update `SENTRY_AUTH_TOKEN` env variable.
    */
   authToken?: string;
-  /**
-   * API key to authenticate any HTTP requests to Sentry (legacy authentication method).
-   * This value will update `SENTRY_API_KEY` env variable.
-   * @deprecated Use auth-token-based authentication via `authToken` instead.
-   *     This option is scheduled for removal in the next major release.
-   */
-  apiKey?: string;
   /**
    * Sentry DSN.
    * This value will update `SENTRY_DSN` env variable.
@@ -68,7 +61,6 @@ export type SourceMapsPathDescriptor = Omit<SentryCliUploadSourceMapsOptions, 'i
   paths: string[];
 };
 
-
 /**
  * Options for uploading source maps
  */
@@ -222,7 +214,7 @@ export interface SentryCliCommitsOptions {
  * Release management interface
  */
 export interface SentryCliReleases {
-  new(release: string, options?: { projects: string[] } | string[]): Promise<string>;
+  new (release: string, options?: { projects: string[] } | string[]): Promise<string>;
 
   setCommits(release: string, options: SentryCliCommitsOptions): Promise<string>;
 
@@ -241,4 +233,3 @@ export interface SentryCliReleases {
 
   execute(args: string[], live: boolean | 'rejectOnError'): Promise<string>;
 }
-
@@ -1370,14 +1370,6 @@ impl<'a> AuthenticatedApi<'a> {
                     region_url.ok().map(|url| url.into())
                 }
             },
-            #[expect(deprecated, reason = "Auth key is deprecated.")]
-            Auth::Key(_) => {
-                log::warn!(
-                    "Auth key is not supported for region-specific API. Falling back to default region."
-                );
-
-                None
-            }
         };
 
         RegionSpecificApi {
@@ -1731,12 +1723,6 @@ impl ApiRequest {
     pub fn with_auth(mut self, auth: &Auth) -> ApiResult<Self> {
         self.is_authenticated = true;
         match *auth {
-            #[expect(deprecated, reason = "API key is deprecated.")]
-            Auth::Key(ref key) => {
-                self.handle.username(key)?;
-                debug!("using deprecated key based authentication");
-                Ok(self)
-            }
             Auth::Token(ref token) => {
                 debug!("using token authentication");
                 self.with_header(

@@ -59,8 +59,6 @@ fn describe_auth(auth: Option<&Auth>) -> &str {
     match auth {
         None => "Unauthorized",
         Some(&Auth::Token(_)) => "Auth Token",
-        #[expect(deprecated, reason = "API key is deprecated.")]
-        Some(&Auth::Key(_)) => "API Key (deprecated)",
     }
 }
 
@@ -75,8 +73,6 @@ fn get_config_status_json() -> Result<()> {
 
     rv.auth.auth_type = config.get_auth().map(|val| match val {
         Auth::Token(_) => "token".into(),
-        #[expect(deprecated, reason = "API key is deprecated.")]
-        Auth::Key(_) => "api_key".into(),
     });
     rv.auth.successful =
         config.get_auth().is_some() && Api::current().authenticated()?.get_auth_info().is_ok();

@@ -140,8 +140,6 @@ pub fn execute(matches: &ArgMatches) -> Result<()> {
 fn get_org_from_auth(auth: &Auth) -> Option<&str> {
     match auth {
         Auth::Token(token) => get_org_from_token(token),
-        #[expect(deprecated, reason = "API key is deprecated.")]
-        Auth::Key(_) => None,
     }
 }
 

@@ -137,18 +137,6 @@ fn preexecute_hooks() -> Result<bool> {
 }
 
 fn configure_args(config: &mut Config, matches: &ArgMatches) {
-    if let Some(api_key) = matches.get_one::<String>("api_key") {
-        log::warn!(
-            "[DEPRECTATION NOTICE] API key authentication and the --api-key argument are \
-            deprecated. \
-            Please generate an auth token, and use the --auth-token argument instead."
-        );
-
-        #[expect(deprecated, reason = "Auth key is deprecated.")]
-        let auth = Auth::Key(api_key.to_owned());
-        config.set_auth(auth);
-    }
-
     if let Some(auth_token) = matches.get_one::<AuthToken>("auth_token") {
         config.set_auth(Auth::Token(auth_token.to_owned()));
     }
@@ -192,13 +180,6 @@ fn app() -> Command {
                 .value_parser(auth_token_parser)
                 .help("Use the given Sentry auth token."),
         )
-        .arg(
-            Arg::new("api_key")
-                .value_name("API_KEY")
-                .long("api-key")
-                .hide(true)
-                .help("[DEPRECATED] Use the given Sentry API key."),
-        )
         .arg(
             Arg::new("log_level")
                 .value_name("LOG_LEVEL")

@@ -36,8 +36,6 @@ const MAX_RETRIES_INI_KEY: &str = "max_retries";
 /// Represents the auth information
 #[derive(Debug, Clone)]
 pub enum Auth {
-    #[deprecated(note = "Auth Key authentication is deprecated.")]
-    Key(String),
     Token(AuthToken),
 }
 
@@ -181,7 +179,6 @@ impl Config {
     pub fn set_auth(&mut self, auth: Auth) {
         self.cached_auth = Some(auth);
 
-        self.ini.delete_from(Some("auth"), "api_key");
         self.ini.delete_from(Some("auth"), "token");
         match self.cached_auth {
             Some(Auth::Token(ref val)) => {
@@ -197,10 +194,6 @@ impl Config {
                     val.raw().expose_secret().clone(),
                 );
             }
-            #[expect(deprecated, reason = "API key is deprecated.")]
-            Some(Auth::Key(ref val)) => {
-                self.ini.set_to(Some("auth"), "api_key".into(), val.clone());
-            }
             None => {}
         }
     }
@@ -739,26 +732,9 @@ impl Clone for Config {
 fn get_default_auth(ini: &Ini) -> Option<Auth> {
     if let Ok(val) = env::var("SENTRY_AUTH_TOKEN") {
         Some(Auth::Token(val.into()))
-    } else if let Ok(val) = env::var("SENTRY_API_KEY") {
-        log::warn!(
-            "[DEPRECTATION NOTICE] API key authentication and the `SENTRY_API_KEY` environment \
-            variable are deprecated. \
-            Please generate and set an auth token using `SENTRY_AUTH_TOKEN` instead."
-        );
-        #[expect(deprecated, reason = "API key is deprecated.")]
-        Some(Auth::Key(val))
-    } else if let Some(val) = ini.get_from(Some("auth"), "token") {
-        Some(Auth::Token(val.into()))
-    } else if let Some(val) = ini.get_from(Some("auth"), "api_key") {
-        log::warn!(
-            "[DEPRECTATION NOTICE] API key authentication and the `api_key` field in the \
-            Sentry CLI config file are deprecated. \
-            Please generate and set an auth token instead."
-        );
-        #[expect(deprecated, reason = "API key is deprecated.")]
-        Some(Auth::Key(val.to_owned()))
     } else {
-        None
+        ini.get_from(Some("auth"), "token")
+            .map(|val| Auth::Token(val.into()))
     }
 }
 

@@ -26,15 +26,15 @@ Options:
           current and remote branch will be used.
       --log-level <LOG_LEVEL>
           Set the log output verbosity. [possible values: trace, debug, info, warn, error]
+      --quiet
+          Do not print any output while preserving correct exit code. This flag is currently
+          implemented only for selected subcommands. [aliases: --silent]
       --vcs-provider <vcs_provider>
           The VCS provider to use for the upload. If not provided, the current provider will be
           used.
       --head-repo-name <head_repo_name>
           The name of the git repository to use for the upload (e.g. organization/repository). If
           not provided, the current repository will be used.
-      --quiet
-          Do not print any output while preserving correct exit code. This flag is currently
-          implemented only for selected subcommands. [aliases: --silent]
       --base-repo-name <base_repo_name>
           The name of the git repository to use for the upload (e.g. organization/repository). If
           not provided, the current repository will be used.

@@ -25,15 +25,15 @@ Options:
           current and remote branch will be used.
       --log-level <LOG_LEVEL>
           Set the log output verbosity. [possible values: trace, debug, info, warn, error]
+      --quiet
+          Do not print any output while preserving correct exit code. This flag is currently
+          implemented only for selected subcommands. [aliases: --silent]
       --vcs-provider <vcs_provider>
           The VCS provider to use for the upload. If not provided, the current provider will be
           used.
       --head-repo-name <head_repo_name>
           The name of the git repository to use for the upload (e.g. organization/repository). If
           not provided, the current repository will be used.
-      --quiet
-          Do not print any output while preserving correct exit code. This flag is currently
-          implemented only for selected subcommands. [aliases: --silent]
       --base-repo-name <base_repo_name>
           The name of the git repository to use for the upload (e.g. organization/repository). If
           not provided, the current repository will be used.

@@ -17,22 +17,22 @@ Options:
   -t, --type <TYPE>              Only consider debug information files of the given type.  By
                                  default, all types are considered. [possible values: bcsymbolmap,
                                  breakpad, dsym, elf, jvm, pdb, pe, portablepdb, sourcebundle, wasm]
+      --log-level <LOG_LEVEL>    Set the log output verbosity. [possible values: trace, debug, info,
+                                 warn, error]
       --no-unwind                Do not scan for stack unwinding information. Specify this flag for
                                  builds with disabled FPO, or when stackwalking occurs on the
                                  device. This usually excludes executables and dynamic libraries.
                                  They might still be uploaded, if they contain additional
                                  processable information (see other flags).
-      --log-level <LOG_LEVEL>    Set the log output verbosity. [possible values: trace, debug, info,
-                                 warn, error]
       --no-debug                 Do not scan for debugging information. This will usually exclude
                                  debug companion files. They might still be uploaded, if they
                                  contain additional processable information (see other flags).
-      --no-sources               Do not scan for source information. This will usually exclude
-                                 source bundle files. They might still be uploaded, if they contain
-                                 additional processable information (see other flags).
       --quiet                    Do not print any output while preserving correct exit code. This
                                  flag is currently implemented only for selected subcommands.
                                  [aliases: --silent]
+      --no-sources               Do not scan for source information. This will usually exclude
+                                 source bundle files. They might still be uploaded, if they contain
+                                 additional processable information (see other flags).
       --id <ID>                  Search for specific debug identifiers.
       --require-all              Errors if not all identifiers specified with --id could be found.
       --symbol-maps <PATH>       Optional path to BCSymbolMap files which are used to resolve hidden

@@ -14,9 +14,9 @@ Options:
   -T, --show-tags                Display the Tags column.
       --auth-token <AUTH_TOKEN>  Use the given Sentry auth token.
       --max-rows <MAX_ROWS>      Maximum number of rows to print.
-      --pages <PAGES>            Maximum number of pages to fetch (100 events/page). [default: 5]
       --log-level <LOG_LEVEL>    Set the log output verbosity. [possible values: trace, debug, info,
                                  warn, error]
+      --pages <PAGES>            Maximum number of pages to fetch (100 events/page). [default: 5]
       --quiet                    Do not print any output while preserving correct exit code. This
                                  flag is currently implemented only for selected subcommands.
                                  [aliases: --silent]

@@ -22,9 +22,9 @@ Options:
   -s, --status <STATUS>          Select all issues matching a given status. [possible values:
                                  resolved, muted, unresolved]
   -a, --all                      Select all issues (this might be limited).
-  -i, --id <ID>                  Select the issue with the given ID.
       --log-level <LOG_LEVEL>    Set the log output verbosity. [possible values: trace, debug, info,
                                  warn, error]
+  -i, --id <ID>                  Select the issue with the given ID.
       --quiet                    Do not print any output while preserving correct exit code. This
                                  flag is currently implemented only for selected subcommands.
                                  [aliases: --silent]

@@ -18,9 +18,9 @@ Options:
   -s, --status <STATUS>          Select all issues matching a given status. [possible values:
                                  resolved, muted, unresolved]
   -a, --all                      Select all issues (this might be limited).
-  -i, --id <ID>                  Select the issue with the given ID.
       --log-level <LOG_LEVEL>    Set the log output verbosity. [possible values: trace, debug, info,
                                  warn, error]
+  -i, --id <ID>                  Select the issue with the given ID.
       --quiet                    Do not print any output while preserving correct exit code. This
                                  flag is currently implemented only for selected subcommands.
                                  [aliases: --silent]

@@ -28,6 +28,9 @@ Options:
 
           [default: 100]
 
+      --log-level <LOG_LEVEL>
+          Set the log output verbosity. [possible values: trace, debug, info, warn, error]
+
       --query <QUERY>
           Query to filter logs. Example: "level:error"
 
@@ -36,20 +39,17 @@ Options:
       --live
           Live stream logs.
 
-      --log-level <LOG_LEVEL>
-          Set the log output verbosity. [possible values: trace, debug, info, warn, error]
-
-      --poll-interval <POLL_INTERVAL>
-          Poll interval in seconds (must be > 0). Only used when --live is specified.
-
-          [default: 2]
-
       --quiet
           Do not print any output while preserving correct exit code. This flag is currently
           implemented only for selected subcommands.
 
           [aliases: --silent]
 
+      --poll-interval <POLL_INTERVAL>
+          Poll interval in seconds (must be > 0). Only used when --live is specified.
+
+          [default: 2]
+
   -h, --help
           Print help (see a summary with '-h')
 

@@ -21,20 +21,20 @@ Options:
       --check-in-margin <checkin_margin>
           The allowed margin of minutes after the expected check-in time that the monitor will not
           be considered missed for. Requires --schedule.
+      --log-level <LOG_LEVEL>
+          Set the log output verbosity. [possible values: trace, debug, info, warn, error]
       --max-runtime <max_runtime>
           The allowed duration in minutes that the monitor may be in progress for before being
           considered failed due to timeout. Requires --schedule.
-      --log-level <LOG_LEVEL>
-          Set the log output verbosity. [possible values: trace, debug, info, warn, error]
+      --quiet
+          Do not print any output while preserving correct exit code. This flag is currently
+          implemented only for selected subcommands. [aliases: --silent]
       --timezone <timezone>
           A tz database string (e.g. "Europe/Vienna") representing the monitor's execution
           schedule's timezone. Requires --schedule.
       --failure-issue-threshold <failure_issue_threshold>
           The number of consecutive missed or error check-ins that trigger an issue. Requires
           --schedule.
-      --quiet
-          Do not print any output while preserving correct exit code. This flag is currently
-          implemented only for selected subcommands. [aliases: --silent]
       --recovery-threshold <recovery_threshold>
           The number of consecutive successful check-ins that resolve an issue. Requires --schedule.
   -h, --help

@@ -31,24 +31,24 @@ Options:
       --timestamp <TIMESTAMP>
           Optional event timestamp in one of supported formats: unix timestamp, RFC2822 or RFC3339.
 
+      --log-level <LOG_LEVEL>
+          Set the log output verbosity. [possible values: trace, debug, info, warn, error]
+
   -r, --release <RELEASE>
           Optional identifier of the release.
 
   -d, --dist <DISTRIBUTION>
           Set the distribution.
 
-      --log-level <LOG_LEVEL>
-          Set the log output verbosity. [possible values: trace, debug, info, warn, error]
-
-  -E, --env <ENVIRONMENT>
-          Send with a specific environment.
-
       --quiet
           Do not print any output while preserving correct exit code. This flag is currently
           implemented only for selected subcommands.
 
           [aliases: --silent]
 
+  -E, --env <ENVIRONMENT>
+          Send with a specific environment.
+
       --no-environ
           Do not send environment variables along