14 days ago
## Issue Summary
I need to programmatically trigger deployments and manage services via the Railway GraphQL API, but none of the tokens I generate have sufficient permissions.
## What I've Tried
1. **Project Tokens (UUID format)**
- Generated from project settings
- Can read project information using `Project-Access-Token` header
- Cannot trigger deployments (returns "Not Authorized")
- Cannot manage environment variables
2. **Personal/Team Tokens (token_xxx format)**
- Generated from account settings
- Attempted both personal and team token types
- Used `Authorization: Bearer` header as documented
- Still receiving "Not Authorized" errors for deployment operations
3. **Different API Operations Tested**
- ✅ `query { project(id: "...") }` - Works with project token
- ❌ `mutation { serviceInstanceRedeploy(...) }` - Not Authorized
- ❌ `mutation { deploymentTrigger(...) }` - Problem processing request
- ❌ `mutation { variableCollectionUpsert(...) }` - Not Authorized
## Technical Details
**Project ID**: 59af76f0-bc01-4e5d-b2ec-5472ea4d7b02
**Environment**: production
**API Endpoint**: https://backboard.railway.app/graphql/v2
**Headers Tested**:
- `Authorization: Bearer <token>` (for personal/team tokens)
- `Project-Access-Token: <token>` (for project tokens)
- Various combinations based on community suggestions
## What I Need
I need to generate a token that can:
1. Trigger service redeployments
2. Update environment variables
3. Query deployment status
4. Restart services
This is for a deployment automation service that manages multiple Railway services programmatically.
## Questions
1. What type of token should I generate for deployment automation?
2. Are there specific permissions or scopes I need to enable?
3. Is there a difference in capabilities between personal and team tokens?
4. Are there any account-level settings that might be restricting API access?
## Additional Context
- I've reviewed the Railway API documentation
- I've consulted Railway Station community posts about similar issues
- I've built comprehensive testing scripts to verify token permissions
- The tokens can read data but cannot perform any mutations
Any guidance on generating a token with full deployment permissions would be greatly appreciated. I'm happy to provide additional debugging information if needed.12 Replies
14 days ago
Hey there! We've found the following might help you get unblocked faster:
If you find the answer from one of these, please let us know by solving the thread!
13 days ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open itsrems • 13 days ago
11 days ago
Subject: Pro Account - API Token Generation Issue
I have a Railway Pro subscription but cannot generate personal API tokens
because my account was created via GitHub OAuth. I need personal tokens
(starting with "token_") for deployment automation.
Current situation:
- Pro subscription active
- Account created via GitHub OAuth
- Can only generate project tokens (UUIDs)
- Need personal tokens for API deployments
Please enable personal token generation for my account.
92a
Subject: Pro Account - API Token Generation IssueI have a Railway Pro subscription but cannot generate personal API tokensbecause my account was created via GitHub OAuth. I need personal tokens(starting with "token_") for deployment automation.Current situation:- Pro subscription active- Account created via GitHub OAuth- Can only generate project tokens (UUIDs)- Need personal tokens for API deploymentsPlease enable personal token generation for my account.
10 days ago
The correct API endpoint is https://backboard.railway.com/graphql/v2
Whereas you are using: https://backboard.railway.app/graphql/v2
Try this! Do let me know, if that works for you
7 days ago
Any update, jonejacobsen
clashing
Any update, jonejacobsen
5 days ago
@clashing
thanks for the suggestion - and the correct endpoint.
However, the endpoint change alone doesn't resolve the authorization issue. The core problem is with the token type and its permissions:
## This is where I am at:
1. You were right about the endpoint :
- https://backboard.railway.com/graphql/v2 - Correct
- https://backboard.railway.app/graphql/v2 - Returns "Not Authorized"
2. The real issue is token permissions
- Project tokens (UUID format) are READ-ONLY
- They cannot perform mutations like serviceInstanceRedeploy or variableCollectionUpsert
- This is why we're getting "Not Authorized" even with the correct endpoint
3. Testing results:
```javascript
// with project token + correct endpoint
// still fails for mutations
{
"errors": [{
"message": "Not Authorized"
}]
}
```
4. Probable solution:
- Need a Personal Access Token (starts with token_)?
- Project tokens simply don't have deployment permissions
- This limitation isn't clearly documented
So while your endpoint correction was 
, the authorization issue persists due to Railway's token permission model. For deployment automation, we need personal/team tokens, not project tokens.
Thanks for pointing us in the right direction with the endpoint though.
Status changed to Solved brody • 5 days ago
4 days ago
For clarity - this it not solved, even if brody changed the status
Status changed to Awaiting Railway Response Railway • 4 days ago
92a
For clarity - this it not solved, even if brody changed the status
4 days ago
Oh, so you got the correct endpoint, but even now the token is posing issues. Let me see if I can help
4 days ago
Thanks! I am unable to generate a token with the right scope. Looking at the documentation (https://docs.railway.com/guides/public-api) I do not have an option to create a team token ( I am on a Pro plan), and the personal token I should be able to create seems to have the rights of a project token, since I consistently get "Not Authorized".
4 days ago
Can you confirm whether this is returning a response for you, or not?
By the way, while generating an account token, are you sure you selected NO TEAM from the dropdown?
And by the way, it's mentioned in the docs that Project Tokens can only be used to authenticate requests that just give information about your account (name, & email). So, for all mutations query, one has to use the ACCOUNT TOKEN (via the Team Token section)
4 days ago
I can create a token both from my account settings and from the project settings (project token). For the personal tokens, I have tried selecting and not selecting a project. I am unable to create a team token (the option is not offered to me). All combinations available returns the same error. I suspect a config issue since I cannot create a team token, and have considered it using OAuth (Github) might be involved. Any experience with this?
4 days ago
https://railway.com/account/tokens is the page from where you could create the Personal Token (made via the Team Token section, with no team selected).
And every token in Railway follows the uuid pattern, irrespective of its nature.
So, I guess the issue is something else. As a last resort, could you share screenshot of the request that you are making. Can you try the graphQl playground that Railway provides in their doc?
4 days ago
I understand, this is the error. We have been incorrectly assuming that UUID tokens are Project tokens and used Project-Access-Token: , not Authorization: Bearer <my-personal-token>. Thanks for helping me resolve this!
Status changed to Solved brody • 4 days ago