Skip to main content

About Heroku

Iru reads app and dyno configuration, pipelines, add-ons, and team access metadata via the Heroku Platform API using a Bearer token (CLI authorization or account API key).

How It Works

Authorization: Bearer YOUR_TOKEN
DetailValue
CategoryPaaS / developer tooling
AuthenticationPlatform API token (Bearer)
Heroku tokens are not finely scoped; they inherit everything the generating account can access. Prefer a dedicated account with minimal team membership. Official references: Authentication, Platform API, CLI.

Prerequisites

  • Access to the Heroku CLI or dashboard API Key section.
  • Awareness of SSO: tokens may align to shorter session windows. See Heroku docs for --expires-in.

Connect Heroku to Iru

Complete this tab before you connect the source in Compliance.
1

Choose CLI or dashboard

Most teams use the Heroku CLI so the token is scoped as an authorization. If you cannot use the CLI, use the dashboard API Key path in the steps below instead.
2

Sign in with the Heroku CLI

On a trusted workstation, run heroku login (or heroku login -i for CI-style flows) and complete authentication with an account that can create authorizations.
3

Create an authorization token

Run heroku authorizations:create --description "Iru Compliance". Default expiry is often one year; SSO orgs may see shorter lifetimes. Add --expires-in when your policy requires a shorter TTL.
4

Copy the Token value from CLI output

Copy the Token string from the command output and store it in a vault until you paste it into Iru.
5

Dashboard alternative: open Account settings

In the Heroku Dashboard, select your avatarAccount settings (or Account).
6

Dashboard alternative: reveal or regenerate API Key

Open the API Key section. Use Reveal to copy the existing account-wide key, or Regenerate to issue a new one. Regenerate invalidates the prior key everywhere, so update every integration that used the old key, not only Iru.
Continue on the Iru Compliance tab.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Full token; SSO session may require a fresh authorization.
Dashboard regeneration invalidates old tokens. Update Iru.
Token’s account must belong to the right teams.

Considerations

Iru is read-only: no deploys, scales, or restarts.

Iru is read-only; no deploys, scales, or restarts.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.

Iru Overview

How Endpoint, Compliance, and Identity fit together.

Artifacts Management

Upload, review, and organize evidence from sources and actions.