# SSH keys and git tokens

Pushing to a Tokay hosted repository requires either an SSH key or a git token. Both use the repository permissions you already have, but they fit different environments.

## Use an SSH key for normal local development

If you already push to GitHub or GitLab over SSH, adding the same public key to Tokay is usually the simplest choice. Add it in account settings or from the git setup flow, then use the SSH repository URL.

The key works for every Tokay repository your account can access. Repository roles still decide whether you can read or push.

## Use a git token when SSH is not practical

A git token is an HTTPS credential created by Tokay. It fits CI systems, restricted networks, and machines where you do not want to install a personal SSH key.

A token can be limited to specific repositories, and to reading alone or reading and writing. It works only for git operations and cannot call the Tokay API or open the dashboard.

The value appears once at creation. Store it where the machine that needs it can read it.

## Revoke a credential when it should stop working

SSH keys and git tokens stop working immediately when revoked. Revocation is permanent.

A rejected push usually points to one of three problems.

- **Permission denied over SSH** means the key is missing or git offered a different key. `ssh-add -l` shows the keys currently loaded.
- **Authentication failed over HTTPS** means the token is wrong, revoked, or missing access to the repository.
- **Clone works but push fails** means either the repository role or token is read only. Both must allow writing.

See [Permissions](permissions.md) for repository roles.
