Profiles & tokens
OwnStack authentication has three levels: your account token (you, against a control plane); the app token (per-app, embedded in .ownstack-config); the deploy token (CI-friendly, scoped to a single app for git pushes).
Account tokens
Created when you ownstack login. Stored in ~/.ownstack/profiles/<name>. Acts on behalf of your user across every app you have access to.
$ ownstack profile list
$ ownstack profile show
$ ownstack profile use <name>
$ ownstack login --token <token> # non-interactive (CI)Rotate via the dashboard's Account → Tokens page; old tokens revoke immediately.
App tokens
Per-app, generated when you ownstack remote -a <app>. Stored in ./.ownstack-config (gitignored). Lets the local checkout deploy and run commands without re-auth.
App tokens are scoped to the specific app — useful for shared workstations or when you want a token that can't reach your other apps.
Deploy tokens
For CI: a token that can deploy a single app and nothing else. Generate in the dashboard (App → Settings → Deploy token) or via:
$ ownstack app deploy-token:show <app>
$ ownstack app deploy-token:rotate <app>In CI, log in with it: ownstack login --token <deploy-token>. Then ownstack deploy.
Multiple control planes
Each control plane is a separate profile. Hosted (api.ownstack.org) is a profile; your self-hosted instance is another. Switch with ownstack profile use.