Provider Permissions

Learn which API key permissions are required for each provider and how to create them.

Overview

Deploynix connects to multiple external providers to provision servers, manage DNS, deploy code, and store backups. Each provider requires an API key or token with specific permissions. This guide covers exactly what's needed and how to set it up.

Server Providers

Server provider credentials allow Deploynix to create, manage, and delete servers on your behalf. Navigate to Settings → Server Providers to add credentials.

DigitalOcean

Credential required: API Token

Required permissions

• Full read/write access (DigitalOcean tokens are either read-only or full access — select Full Access)

What Deploynix does with this token

• Create, delete, reboot, and rebuild Droplets
• List regions, sizes, and images
• Upload and manage SSH keys

How to create the token

1. Log in to the DigitalOcean Control Panel
2. Navigate to API in the left sidebar
3. Click Generate New Token
4. Give it a descriptive name (e.g. deploynix)
5. Select Full Access under scopes
6. Click Generate Token and copy the token immediately — it won't be shown again

Vultr

Credential required: API Key

Required permissions

• Full access (Vultr API keys do not support granular scopes)

What Deploynix does with this key

• Create, delete, reboot, and reinstall instances
• List regions, plans, and OS images
• Upload and manage SSH keys

How to create the key

1. Log in to the Vultr Customer Portal
2. Navigate to Account → API
3. Click Enable API if not already enabled
4. Copy the API key shown
5. Optionally restrict access by IP under Access Control for added security

Linode (Akamai Cloud)

Credential required: Personal Access Token

Required permissions

• Linodes — Read/Write
• Images — Read/Write
• IPs — Read/Write
• Account — Read Only

What Deploynix does with this token

• Create, delete, reboot, and rebuild Linode instances
• List regions, Linode types, and images
• Set authorized SSH keys and root password during creation

How to create the token

1. Log in to Akamai Cloud Manager
2. Click your username in the top right and select API Tokens
3. Click Create a Personal Access Token
4. Give it a label (e.g. deploynix)
5. Set an expiry or select Never
6. Enable the permissions listed above
7. Click Create Token and copy it immediately

Hetzner Cloud

Credential required: API Token

Required permissions

• Read & Write (Hetzner tokens are scoped per project and are either read-only or read/write)

What Deploynix does with this token

• Create, delete, reboot, and rebuild servers
• List locations and server types
• Upload and manage SSH keys

How to create the token

1. Log in to the Hetzner Cloud Console
2. Select the project you want Deploynix to manage (or create a new one)
3. Navigate to Security → API Tokens
4. Click Generate API Token
5. Give it a description (e.g. deploynix)
6. Select Read & Write
7. Click Generate API Token and copy it immediately

Amazon Web Services (AWS)

Credentials required: Access Key ID + Secret Access Key

Required IAM permissions

Create a dedicated IAM user with the following policy attached:

• ec2:RunInstances — Launch instances
• ec2:TerminateInstances — Delete instances
• ec2:RebootInstances — Reboot instances
• ec2:DescribeInstances — List and inspect instances
• ec2:DescribeRegions — List available regions
• ec2:DescribeInstanceTypes — List instance types
• ec2:DescribeImages — List AMIs
• ec2:DescribeAvailabilityZones — List availability zones
• ec2:ImportKeyPair — Upload SSH keys
• ec2:DeleteKeyPair — Remove SSH keys
• ec2:CreateSecurityGroup — Create security groups
• ec2:AuthorizeSecurityGroupIngress — Add inbound rules
• ec2:DescribeSecurityGroups — List security groups
• ec2:CreateReplaceRootVolumeTask — Replace root volumes (for OS reinstall)
• ec2:DescribeReplaceRootVolumeTasks — Monitor volume replacements
• ec2:CreateTags — Tag resources

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:RebootInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeRegions",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeImages",
                "ec2:DescribeAvailabilityZones",
                "ec2:ImportKeyPair",
                "ec2:DeleteKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeSecurityGroups",
                "ec2:CreateReplaceRootVolumeTask",
                "ec2:DescribeReplaceRootVolumeTasks",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        }
    ]
}

How to create the credentials

1. Log in to the AWS IAM Console
2. Navigate to Users → Create user
3. Enter a username (e.g. deploynix) and click Next
4. Select Attach policies directly
5. Click Create policy, paste the JSON above, and save it
6. Attach the policy to the user and click Create user
7. Navigate to the user → Security credentials → Create access key
8. Select Third-party service as the use case
9. Copy the Access Key ID and Secret Access Key

DNS Providers

DNS provider credentials are used for DNS-01 challenges when issuing wildcard SSL certificates. Navigate to Settings → DNS Providers to add credentials.

Cloudflare

Credential required: API Token (not Global API Key)

Required permissions

• Zone → DNS → Edit
• Zone → Zone → Read (to list and look up zones)

What Deploynix does with this token

• List zones to find your domain
• Create TXT records for DNS-01 certificate challenges
• Delete TXT records after certificate issuance

How to create the token

1. Log in to the Cloudflare Dashboard
2. Click your profile icon → My Profile → API Tokens
3. Click Create Token
4. Use the Edit zone DNS template, or create a custom token:
5. Set Permissions: Zone → DNS → Edit
6. Set Zone Resources: Include → All Zones (or select specific zones)
7. Click Continue to summary → Create Token
8. Copy the token immediately

DigitalOcean (DNS)

Credential required: API Token (same type as the server provider token)

Required permissions

• Full access (DigitalOcean tokens don't support granular scopes)

What Deploynix does with this token

• List domains managed in your DigitalOcean account
• Create and delete TXT records for DNS-01 challenges

You can reuse the same token you created for the DigitalOcean server provider if your DNS is also managed there.

Vultr (DNS)

Credential required: API Key (same type as the server provider key)

Required permissions

• Full access (Vultr API keys don't support granular scopes)

What Deploynix does with this key

• List domains managed in your Vultr account
• Create and delete TXT records for DNS-01 challenges

You can reuse the same key you created for the Vultr server provider if your DNS is also managed there.

AWS Route 53

Credentials required: Access Key ID + Secret Access Key + Region

Required IAM permissions

• route53:ListHostedZones — List hosted zones
• route53:GetHostedZone — Get zone details
• route53:ChangeResourceRecordSets — Create and delete DNS records
• route53:ListResourceRecordSets — List DNS records

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetHostedZone",
                "route53:ChangeResourceRecordSets",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "*"
        }
    ]
}

How to create the credentials

1. Follow the same IAM user creation steps from the AWS server provider section
2. Attach the Route 53 policy above instead of (or in addition to) the EC2 policy
3. If you already have an IAM user for EC2, you can attach both policies to the same user

Git Providers

Git provider tokens allow Deploynix to list repositories, manage deploy keys, and set up webhooks for automatic deployments. Navigate to Settings → Git Providers to connect.

GitHub

Credential required: Personal Access Token (Fine-grained or Classic)

Required scopes (Classic token)

• repo — Full control of private repositories (list repos, manage deploy keys)
• admin:public_key — Manage deploy keys

Required permissions (Fine-grained token)

• Repository access — Select the repositories you want to deploy
• Contents — Read-only
• Metadata — Read-only
• Administration — Read and write (for deploy keys)
• Webhooks — Read and write (for automatic deployments)

How to create the token

1. Log in to GitHub
2. Navigate to Settings → Developer settings → Personal access tokens
3. Choose Fine-grained tokens (recommended) or Tokens (classic)
4. Click Generate new token
5. Give it a name (e.g. deploynix) and set an expiration
6. Select the permissions listed above
7. Click Generate token and copy it immediately

GitLab

Credential required: Personal Access Token

Required scopes

• api — Full API access (list projects, manage deploy keys, webhooks)
• read_user — Read user profile information

How to create the token

1. Log in to GitLab (or your self-hosted instance)
2. Navigate to User Settings → Access Tokens
3. Click Add new token
4. Give it a name (e.g. deploynix) and set an expiration
5. Select the api and read_user scopes
6. Click Create personal access token and copy it immediately

Bitbucket

Credential required: App Password (not a Personal Access Token)

Required permissions

• Repositories → Read
• Repositories → Admin (for deploy keys)
• Webhooks → Read and write

How to create the app password

1. Log in to Bitbucket
2. Click your avatar → Personal settings
3. Navigate to App passwords under "Access management"
4. Click Create app password
5. Give it a label (e.g. deploynix)
6. Select the permissions listed above
7. Click Create and copy the password immediately

Backup Providers

Backup provider credentials allow Deploynix to store and retrieve database and application backups. Navigate to Settings → Backup Providers to add credentials.

AWS S3

Credentials required: Access Key + Secret Key + Region + Bucket Name

Required IAM permissions

• s3:PutObject — Upload backups
• s3:GetObject — Download backups
• s3:DeleteObject — Delete old backups
• s3:ListBucket — List backup files

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME"
        }
    ]
}

How to set up

1. Create an S3 bucket in the AWS S3 Console
2. Create an IAM user with the policy above (replace YOUR-BUCKET-NAME with your actual bucket name)
3. Generate an access key for the IAM user
4. Enter the Access Key, Secret Key, region, and bucket name in Deploynix

DigitalOcean Spaces

Credentials required: Spaces Access Key + Secret Key + Region + Bucket + Endpoint

Required permissions

• Full read/write access to the Space (Spaces keys grant access to all Spaces in your account)

How to set up

1. Create a Space in the DigitalOcean Control Panel
2. Navigate to API → Spaces Keys
3. Click Generate New Key
4. Copy the Key and Secret
5. The endpoint format is https://REGION.digitaloceanspaces.com (e.g. https://nyc3.digitaloceanspaces.com)

Wasabi

Credentials required: Access Key + Secret Key + Region + Bucket

Required permissions

• Full read/write access to the bucket

How to set up

1. Log in to the Wasabi Console
2. Create a bucket in your preferred region
3. Navigate to Access Keys and create a new key
4. Copy the Access Key and Secret Key
5. The endpoint is automatically derived from the region (e.g. https://s3.us-east-1.wasabisys.com)

Custom S3-Compatible

Credentials required: Access Key + Secret Key + Region + Bucket + Endpoint

Required permissions

• Read/write access to the bucket (PutObject, GetObject, DeleteObject, ListBucket)

Any S3-compatible storage provider (e.g. MinIO, Backblaze B2, Cloudflare R2) can be used. Provide the endpoint URL, credentials, and bucket name. Enable Path-style URLs if your provider requires it.

Quick Reference

A summary of all provider credentials at a glance: