Authenticate CI with a service token

automation & ci

// what it does

In CI, skip auth login entirely: export PLANETSCALE_SERVICE_TOKEN_ID and PLANETSCALE_SERVICE_TOKEN (or pass the --service-token-id/--service-token flags) and every pscale command authenticates as the token. The classic pipeline: create a branch per PR, run migrations against it, open a deploy request on merge.

// shell

$ export PLANETSCALE_SERVICE_TOKEN_ID=<token-id> PLANETSCALE_SERVICE_TOKEN=<token-secret>
$ pscale branch create mydb pr-123 --org my-org --wait

// gotcha

Service tokens are org-scoped, so commands still need --org (or PLANETSCALE_ORG where supported). Store both halves — the ID and the secret — in your CI's secret manager; the pair is only as secret as its weaker half.

// resources