23 days ago
The Railway CLI (on the latest version as of this writing, 4.26.0) does not seem to accept the RAILWAY_API_TOKEN. I am trying to create a new environment, and keep getting unauthorized errors. I made sure I generated and am using an account token from here, so I should be using the right token.
My workflow:
deploy-backend:
needs: seed-preview-db
runs-on: ubuntu-24.04
container: ghcr.io/railwayapp/cli:latest
env:
SVC_ID: <redacted>
RAILWAY_API_TOKEN: ${{ secrets.RAILWAY_API_TOKEN }}
ENV_VAR_NAME: DB_CONNECTION_STRING
DUPLICATE_FROM_ID: production # railway environment to duplicate from
RAILWAY_PROJECT_ID: ${{ secrets.RAILWAY_PROJECT_ID }}
steps:
- name: Install Supabase System Dependencies
run: apk add --no-cache curl bash jq
- name: Install Supabase CLI
uses: supabase/setup-cli@v1
with:
version: latest
... removed irrelevant steps here for clarity's sake
- name: Debug Railway
shell: bash
run: railway whoami
- name: Link to Railway Project
shell: bash
run: railway link --project ${{ env.RAILWAY_PROJECT_ID }}
- name: Create Railway Environment for PR
shell: bash
run: |
set -euo pipefail
if [ -z "$POSTGRES_URL" ]; then
echo "POSTGRES_URL missing — aborting Railway deploy"
exit 1
fi
railway environment new "$BRANCH_NAME" \
--duplicate "$DUPLICATE_FROM_ID" \
--service-config "$SVC_ID" variables.${ENV_VAR_NAME}.value "$POSTGRES_URL"The error I get on my github action:
Run railway whoami
Unauthorized. Please check that your RAILWAY_API_TOKEN is valid and has access to the resource you're trying to use.I even tried running this locally from scratch on a repo by using export RAILWAY_API_TOKEN=<token> and then running railway whoami, and got the exact same unauthorized error.
I am a workspace owner of this project, so it can't be a permissions issue.
Any advice would be greatly appreciated.
Pinned Solution
23 days ago
Hello,
Please check that your RAILWAY_API_TOKEN is valid and has access to the resource you're trying to use.
For the resources you are trying to use, you would need to use an account-scoped token, not a workspace-scoped token.
3 Replies
23 days ago
Hello,
Please check that your RAILWAY_API_TOKEN is valid and has access to the resource you're trying to use.
For the resources you are trying to use, you would need to use an account-scoped token, not a workspace-scoped token.
Status changed to Awaiting User Response Railway • 23 days ago
23 days ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • 23 days ago
brody
Hello,Please check that your RAILWAY_API_TOKEN is valid and has access to the resource you're trying to use.For the resources you are trying to use, you would need to use an account-scoped token, not a workspace-scoped token.
23 days ago
Okay, this was it. I was indeed using a workspace scoped token, not an account scoped token. Apologies, I know you've stated that in other threads as well. I just didn't fully realize what you meant until now. I didn't realize there was a difference - I had thought that there were only Project tokens, and account tokens, and the tokens created on the account page were effectively the same.
Thank you for the prompt response, Brody.
Status changed to Solved brody • 23 days ago
23 days ago
For anybody who stumbles upon this in the future, on the account tokens page, when you go to create a new token, you'd probably default to selecting the workspace your project is on, but to create an account-scoped token like what what Brody is referring to, you have to leave the Workspace blank. See the attached image.
I think this is slightly unintuitive, (not sure if this is a leftover from what seems to be a transition from deprecating a 'teams' concept), and I didn't find any info on the docs clarifying this, so if there's any way I can contribute to the docs, am happy to do so.
Attachments
Status changed to Awaiting Railway Response Railway • 23 days ago
Status changed to Solved brody • 23 days ago