Understand how ExpoDeploy handles authentication and learn best practices for keeping your account and credentials secure.
Secure sign-in using your GitHub account
ExpoDeploy uses GitHub OAuth 2.0 for authentication, eliminating the need for separate passwords. When you click "Sign In", you're redirected to GitHub to authorize ExpoDeploy. We request minimal permissions: read-only repository access to detect code pushes and manage webhooks. Your GitHub credentials are never stored - we only receive an access token.
Secure, long-lasting sessions
After authentication, ExpoDeploy creates a secure session using HTTP-only cookies. Sessions remain active for 30 days of inactivity, so you won't need to sign in frequently. You can sign out at any time from your profile menu, which immediately invalidates your session. All sessions are encrypted and protected against common attacks like CSRF.
Programmatic access for integrations
For API access and CI/CD integrations, generate API tokens from Dashboard → Settings → API Tokens. Each token is scoped to your account and can be revoked independently. Include tokens in the Authorization header as: Authorization: Bearer YOUR_API_TOKEN. Tokens never expire but should be rotated periodically for security.
Follow these guidelines to keep your ExpoDeploy account secure: