From b3513d482b081fd55513351f1a2700d5c5001acf Mon Sep 17 00:00:00 2001
From: De Clercq Wentzel <10665586+wentzeld@users.noreply.github.com>
Date: Tue, 28 Apr 2026 17:01:02 -0700
Subject: [PATCH 1/9] docs(cre): document private registry, control plane, and
deployment-registry breaking change
---
.../getting-started/before-you-build-go.mdx | 4 +-
.../getting-started/before-you-build-ts.mdx | 4 +-
.../part-1-project-setup-go.mdx | 2 +-
.../part-1-project-setup-ts.mdx | 2 +-
.../guides/operations/deploying-workflows.mdx | 85 ++++++-
.../secrets/using-secrets-deployed.mdx | 19 +-
src/content/cre/key-terms.mdx | 9 +
src/content/cre/llms-full-go.txt | 211 +++++++++++++++---
src/content/cre/llms-full-ts.txt | 211 +++++++++++++++---
src/content/cre/reference/cli/registry.mdx | 6 +
src/content/cre/reference/cli/secrets.mdx | 47 ++--
.../reference/project-configuration-go.mdx | 25 ++-
.../reference/project-configuration-ts.mdx | 25 ++-
src/content/cre/release-notes.mdx | 15 ++
14 files changed, 550 insertions(+), 115 deletions(-)
diff --git a/src/content/cre/getting-started/before-you-build-go.mdx b/src/content/cre/getting-started/before-you-build-go.mdx
index 1ae8628f26e..300283bd2a3 100644
--- a/src/content/cre/getting-started/before-you-build-go.mdx
+++ b/src/content/cre/getting-started/before-you-build-go.mdx
@@ -56,8 +56,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Connect your wallet to your organization
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
+1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/before-you-build-ts.mdx b/src/content/cre/getting-started/before-you-build-ts.mdx
index bad30a330e6..01cf2e63c90 100644
--- a/src/content/cre/getting-started/before-you-build-ts.mdx
+++ b/src/content/cre/getting-started/before-you-build-ts.mdx
@@ -122,8 +122,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Connect your wallet to your organization
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
+1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/part-1-project-setup-go.mdx b/src/content/cre/getting-started/part-1-project-setup-go.mdx
index 87452c132af..0e0bfc78622 100644
--- a/src/content/cre/getting-started/part-1-project-setup-go.mdx
+++ b/src/content/cre/getting-started/part-1-project-setup-go.mdx
@@ -34,7 +34,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Go**: You must have Go version 1.25.3 or higher installed. Check your version with faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
diff --git a/src/content/cre/getting-started/part-1-project-setup-ts.mdx b/src/content/cre/getting-started/part-1-project-setup-ts.mdx
index 74837dc30fb..fdb7e6e3546 100644
--- a/src/content/cre/getting-started/part-1-project-setup-ts.mdx
+++ b/src/content/cre/getting-started/part-1-project-setup-ts.mdx
@@ -34,7 +34,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Bun**: You must have Bun version 1.2.21 or higher installed. Check your version with faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
diff --git a/src/content/cre/guides/operations/deploying-workflows.mdx b/src/content/cre/guides/operations/deploying-workflows.mdx
index 576187cfe75..0691a43079a 100644
--- a/src/content/cre/guides/operations/deploying-workflows.mdx
+++ b/src/content/cre/guides/operations/deploying-workflows.mdx
@@ -18,7 +18,21 @@ import { Aside } from "@components"
-When you deploy a workflow, you take your locally tested code and register it with the onchain Workflow Registry contract. This makes your workflow "live" so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don).
+{/* prettier-ignore */}
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+```yaml
+user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+```
+
+See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+
+
+
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
## Prerequisites
@@ -26,8 +40,61 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **[Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Linked your EOA or multi-sig wallet to your account by running `cre account link-key`.
-- **A funded wallet**: The account you are deploying from must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain registration transaction to the Workflow Registry contract.
+- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
+- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+
+## Choosing your registry
+
+Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
+
+### Control plane: web3 key vs. auth-only
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+
+- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
+- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+
+Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+
+### Managing with a web3 key
+
+Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
+
+1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
+2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
+3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
+4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+### Managing with auth only
+
+Use this flow when `deployment-registry: "private"` (the default):
+
+1. Log in once with `cre login`.
+2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
+3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
+
+If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -35,7 +102,9 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
1. **Compiles** your workflow to a WASM binary.
1. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-1. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). This transaction contains the metadata for your workflow, including its name, owner, and the URL of its artifacts in the storage service.
+1. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
+ - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
+ - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
{/* prettier-ignore */}
@@ -144,11 +213,13 @@ Details:
## Verifying your deployment
-After a successful deployment, you can verify that your workflow was registered correctly in two ways:
+After a successful deployment, you can verify that your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history.
+1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-1. **Block Explorer**: Check the Workflow Registry contract on a block explorer. The CLI output will provide the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at the address `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+1. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
diff --git a/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx b/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
index 7aba4836364..d2a44add811 100644
--- a/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
+++ b/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
@@ -25,7 +25,24 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
1. **Authentication**: You must be logged in with `cre login`
-1. **Owner address configured**: Your `workflow-owner-address` must be set in your project configuration
+1. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+
+## Auth modes: web3 key vs. browser auth
+
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+
+You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
+
+```bash
+# Web3-keyed (on-chain registry)
+cre secrets create production-secrets.yaml --target production-settings
+
+# Browser auth (private registry / org-owned)
+cre secrets create production-secrets.yaml --target staging-settings --secrets-auth=browser
+```
## How secrets work with deployed workflows
diff --git a/src/content/cre/key-terms.mdx b/src/content/cre/key-terms.mdx
index 7ee64e98698..e0142d2eee1 100644
--- a/src/content/cre/key-terms.mdx
+++ b/src/content/cre/key-terms.mdx
@@ -22,6 +22,15 @@ The all-in-one orchestration layer unlocking institutional-grade smart contracts
A decentralized, peer-to-peer network of independent nodes that work together to execute a specific task. In CRE, there are two primary types of DONs: **Workflow DONs** that orchestrates the workflow, and specialized **Capability DONs** that execute specific tasks like blockchain interactions.
+### Control plane
+
+How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
+
+- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+
## Workflow architecture
### Workflow
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index bbf859afeba..b78a11f6631 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -163,6 +163,15 @@ The all-in-one orchestration layer unlocking institutional-grade smart contracts
A decentralized, peer-to-peer network of independent nodes that work together to execute a specific task. In CRE, there are two primary types of DONs: **Workflow DONs** that orchestrates the workflow, and specialized **Capability DONs** that execute specific tasks like blockchain interactions.
+### Control plane
+
+How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
+
+- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+
## Workflow architecture
### Workflow
@@ -452,6 +461,21 @@ Last Updated: 2026-04-24
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v1.13.0 - April 28, 2026
+
+**CRE CLI version 1.13.0 is now available.**
+
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When you run any CRE command, the CLI will automatically detect if a newer version is available and prompt you to update. Simply run `cre update` to install the latest version.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
+[See all changes on GitHub](https://github.com/smartcontractkit/cre-cli/compare/v1.12.0...v1.13.0)
+
## CLI v1.12.0 - April 23, 2026
**CRE CLI version 1.12.0 is now available.**
@@ -4719,7 +4743,24 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
2. **Authentication**: You must be logged in with `cre login`
-3. **Owner address configured**: Your `workflow-owner-address` must be set in your project configuration
+3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+
+## Auth modes: web3 key vs. browser auth
+
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+
+You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
+
+```bash
+# Web3-keyed (on-chain registry)
+cre secrets create production-secrets.yaml --target production-settings
+
+# Browser auth (private registry / org-owned)
+cre secrets create production-secrets.yaml --target staging-settings --secrets-auth=browser
+```
## How secrets work with deployed workflows
@@ -5751,7 +5792,20 @@ Last Updated: 2026-03-17
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-When you deploy a workflow, you take your locally tested code and register it with the onchain Workflow Registry contract. This makes your workflow "live" so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don).
+
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+ ```yaml
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ ```
+
+ See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+
+
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
## Prerequisites
@@ -5759,8 +5813,61 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **[Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Linked your EOA or multi-sig wallet to your account by running `cre account link-key`.
-- **A funded wallet**: The account you are deploying from must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain registration transaction to the Workflow Registry contract.
+- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
+- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+
+## Choosing your registry
+
+Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
+
+### Control plane: web3 key vs. auth-only
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+
+- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
+- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+
+Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+
+### Managing with a web3 key
+
+Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
+
+1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
+2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
+3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
+4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+### Managing with auth only
+
+Use this flow when `deployment-registry: "private"` (the default):
+
+1. Log in once with `cre login`.
+2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
+3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
+
+If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -5768,7 +5875,9 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
1. **Compiles** your workflow to a WASM binary.
2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-3. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). This transaction contains the metadata for your workflow, including its name, owner, and the URL of its artifacts in the storage service.
+3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
+ - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
+ - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
@@ -5877,11 +5986,13 @@ Details:
## Verifying your deployment
-After a successful deployment, you can verify that your workflow was registered correctly in two ways:
+After a successful deployment, you can verify that your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history.
+2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-2. **Block Explorer**: Check the Workflow Registry contract on a block explorer. The CLI output will provide the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at the address `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+3. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
@@ -9259,8 +9370,14 @@ ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
```
+The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+
If no registries are found for your environment, the command prints a warning and exits cleanly.
## Learn more
@@ -9282,6 +9399,15 @@ Last Updated: 2026-04-10
The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized Oracle Network) for deployed workflows. These commands allow you to create, update, delete, and list secrets that your workflows can access at runtime.
+## Auth modes
+
+`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
+
+Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
+
## Authorization flow
Starting with CLI v1.9.0, secrets operations use a **browser-based OAuth (PKCE) flow** to authorize Vault DON access:
@@ -9347,10 +9473,11 @@ cre secrets create [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9410,10 +9537,11 @@ cre secrets update [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9454,10 +9582,11 @@ cre secrets delete [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9497,11 +9626,12 @@ cre secrets list [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------- | -------- | -------- | --------------------------------------------------------------- |
-| `--namespace` | string | `"main"` | Namespace to list secrets from |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--namespace` | string | `"main"` | Namespace to list secrets from |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Example
@@ -10154,8 +10284,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Connect your wallet to your organization
-2. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
+2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10304,7 +10434,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Go**: You must have Go version 1.25.3 or higher installed. Check your version with go version. See [Install Go](https://go.dev/doc/install) for instructions.
-- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Go to faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
@@ -16316,11 +16446,20 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
+ If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
+ "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
+ deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
+ Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
+ deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -16330,6 +16469,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -16338,13 +16478,14 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index e5f4059a987..d0b97c32b50 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -163,6 +163,15 @@ The all-in-one orchestration layer unlocking institutional-grade smart contracts
A decentralized, peer-to-peer network of independent nodes that work together to execute a specific task. In CRE, there are two primary types of DONs: **Workflow DONs** that orchestrates the workflow, and specialized **Capability DONs** that execute specific tasks like blockchain interactions.
+### Control plane
+
+How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
+
+- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+
## Workflow architecture
### Workflow
@@ -452,6 +461,21 @@ Last Updated: 2026-04-24
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v1.13.0 - April 28, 2026
+
+**CRE CLI version 1.13.0 is now available.**
+
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When you run any CRE command, the CLI will automatically detect if a newer version is available and prompt you to update. Simply run `cre update` to install the latest version.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
+[See all changes on GitHub](https://github.com/smartcontractkit/cre-cli/compare/v1.12.0...v1.13.0)
+
## CLI v1.12.0 - April 23, 2026
**CRE CLI version 1.12.0 is now available.**
@@ -4039,7 +4063,24 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
2. **Authentication**: You must be logged in with `cre login`
-3. **Owner address configured**: Your `workflow-owner-address` must be set in your project configuration
+3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+
+## Auth modes: web3 key vs. browser auth
+
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+
+You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
+
+```bash
+# Web3-keyed (on-chain registry)
+cre secrets create production-secrets.yaml --target production-settings
+
+# Browser auth (private registry / org-owned)
+cre secrets create production-secrets.yaml --target staging-settings --secrets-auth=browser
+```
## How secrets work with deployed workflows
@@ -4850,7 +4891,20 @@ Last Updated: 2026-03-17
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-When you deploy a workflow, you take your locally tested code and register it with the onchain Workflow Registry contract. This makes your workflow "live" so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don).
+
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+ ```yaml
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ ```
+
+ See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+
+
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
## Prerequisites
@@ -4858,8 +4912,61 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **[Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Linked your EOA or multi-sig wallet to your account by running `cre account link-key`.
-- **A funded wallet**: The account you are deploying from must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain registration transaction to the Workflow Registry contract.
+- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
+- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+
+## Choosing your registry
+
+Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
+
+### Control plane: web3 key vs. auth-only
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+
+- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
+- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+
+Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+
+### Managing with a web3 key
+
+Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
+
+1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
+2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
+3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
+4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+### Managing with auth only
+
+Use this flow when `deployment-registry: "private"` (the default):
+
+1. Log in once with `cre login`.
+2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
+3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
+
+If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -4867,7 +4974,9 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
1. **Compiles** your workflow to a WASM binary.
2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-3. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). This transaction contains the metadata for your workflow, including its name, owner, and the URL of its artifacts in the storage service.
+3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
+ - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
+ - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
@@ -4976,11 +5085,13 @@ Details:
## Verifying your deployment
-After a successful deployment, you can verify that your workflow was registered correctly in two ways:
+After a successful deployment, you can verify that your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history.
+2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-2. **Block Explorer**: Check the Workflow Registry contract on a block explorer. The CLI output will provide the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at the address `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+3. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
@@ -8872,8 +8983,14 @@ ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
```
+The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+
If no registries are found for your environment, the command prints a warning and exits cleanly.
## Learn more
@@ -8895,6 +9012,15 @@ Last Updated: 2026-04-10
The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized Oracle Network) for deployed workflows. These commands allow you to create, update, delete, and list secrets that your workflows can access at runtime.
+## Auth modes
+
+`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
+
+Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
+
## Authorization flow
Starting with CLI v1.9.0, secrets operations use a **browser-based OAuth (PKCE) flow** to authorize Vault DON access:
@@ -8960,10 +9086,11 @@ cre secrets create [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9023,10 +9150,11 @@ cre secrets update [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9067,10 +9195,11 @@ cre secrets delete [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9110,11 +9239,12 @@ cre secrets list [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------- | -------- | -------- | --------------------------------------------------------------- |
-| `--namespace` | string | `"main"` | Namespace to list secrets from |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--namespace` | string | `"main"` | Namespace to list secrets from |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Example
@@ -10047,8 +10177,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Connect your wallet to your organization
-2. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
+2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10197,7 +10327,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Bun**: You must have Bun version 1.2.21 or higher installed. Check your version with bun --version. See [Install Bun](https://bun.com) for instructions.
-- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Go to faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
@@ -16174,11 +16304,20 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
+ If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
+ "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
+ deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
+ Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
+ deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -16188,6 +16327,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -16196,13 +16336,14 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
diff --git a/src/content/cre/reference/cli/registry.mdx b/src/content/cre/reference/cli/registry.mdx
index dd3edc9e77d..277c393f87d 100644
--- a/src/content/cre/reference/cli/registry.mdx
+++ b/src/content/cre/reference/cli/registry.mdx
@@ -47,8 +47,14 @@ ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
```
+The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+
If no registries are found for your environment, the command prints a warning and exits cleanly.
## Learn more
diff --git a/src/content/cre/reference/cli/secrets.mdx b/src/content/cre/reference/cli/secrets.mdx
index 1dc9db42f98..d5f9b6f2069 100644
--- a/src/content/cre/reference/cli/secrets.mdx
+++ b/src/content/cre/reference/cli/secrets.mdx
@@ -18,6 +18,15 @@ import { Aside } from "@components"
The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized Oracle Network) for deployed workflows. These commands allow you to create, update, delete, and list secrets that your workflows can access at runtime.
+## Auth modes
+
+`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
+
+Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
+
## Authorization flow
Starting with CLI v1.9.0, secrets operations use a **browser-based OAuth (PKCE) flow** to authorize Vault DON access:
@@ -83,10 +92,11 @@ cre secrets create [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | _auto_ | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -146,10 +156,11 @@ cre secrets update [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | _auto_ | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -190,10 +201,11 @@ cre secrets delete [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | _auto_ | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -233,11 +245,12 @@ cre secrets list [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------- | -------- | -------- | --------------------------------------------------------------- |
-| `--namespace` | string | `"main"` | Namespace to list secrets from |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--namespace` | string | `"main"` | Namespace to list secrets from |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | _auto_ | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Example
diff --git a/src/content/cre/reference/project-configuration-go.mdx b/src/content/cre/reference/project-configuration-go.mdx
index b9c93a88de1..5affc92515c 100644
--- a/src/content/cre/reference/project-configuration-go.mdx
+++ b/src/content/cre/reference/project-configuration-go.mdx
@@ -131,11 +131,20 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
+ If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
+ "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
+ deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
+ Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
+ deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -145,6 +154,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -153,13 +163,14 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
diff --git a/src/content/cre/reference/project-configuration-ts.mdx b/src/content/cre/reference/project-configuration-ts.mdx
index 024ffe1765b..72d3866b635 100644
--- a/src/content/cre/reference/project-configuration-ts.mdx
+++ b/src/content/cre/reference/project-configuration-ts.mdx
@@ -136,11 +136,20 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
+ If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
+ "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
+ deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
+ Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
+ deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -150,6 +159,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -158,13 +168,14 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
diff --git a/src/content/cre/release-notes.mdx b/src/content/cre/release-notes.mdx
index 49a6a7f1502..9c8007fb657 100644
--- a/src/content/cre/release-notes.mdx
+++ b/src/content/cre/release-notes.mdx
@@ -12,6 +12,21 @@ import { Aside } from "@components"
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v1.13.0 - April 28, 2026
+
+**CRE CLI version 1.13.0 is now available.**
+
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When you run any CRE command, the CLI will automatically detect if a newer version is available and prompt you to update. Simply run `cre update` to install the latest version.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
+[See all changes on GitHub](https://github.com/smartcontractkit/cre-cli/compare/v1.12.0...v1.13.0)
+
## CLI v1.12.0 - April 23, 2026
**CRE CLI version 1.12.0 is now available.**
From e74a84e51b3853e0586fcadf1445ef2f65427978 Mon Sep 17 00:00:00 2001
From: devin distefano
Date: Thu, 30 Apr 2026 19:29:10 -0500
Subject: [PATCH 2/9] updates
---
.../getting-started/before-you-build-go.mdx | 4 +-
.../getting-started/before-you-build-ts.mdx | 4 +-
.../part-1-project-setup-go.mdx | 2 +-
.../part-1-project-setup-ts.mdx | 2 +-
.../activating-pausing-workflows.mdx | 26 +-
.../guides/operations/deleting-workflows.mdx | 24 +-
.../guides/operations/deploying-workflows.mdx | 201 +++++++-
.../updating-deployed-workflows.mdx | 13 +-
.../secrets/using-secrets-deployed.mdx | 10 +-
src/content/cre/key-terms.mdx | 18 +-
src/content/cre/llms-full-go.txt | 447 +++++++++++++-----
src/content/cre/llms-full-ts.txt | 447 +++++++++++++-----
src/content/cre/organization/linking-keys.mdx | 18 +-
src/content/cre/reference/cli/account.mdx | 6 +-
src/content/cre/reference/cli/index.mdx | 14 +-
src/content/cre/reference/cli/registry.mdx | 15 +-
src/content/cre/reference/cli/secrets.mdx | 8 +-
src/content/cre/reference/cli/workflow.mdx | 34 +-
.../reference/project-configuration-go.mdx | 43 +-
.../reference/project-configuration-ts.mdx | 43 +-
src/content/cre/release-notes.mdx | 17 +-
21 files changed, 997 insertions(+), 399 deletions(-)
diff --git a/src/content/cre/getting-started/before-you-build-go.mdx b/src/content/cre/getting-started/before-you-build-go.mdx
index 300283bd2a3..4ab8e6db38d 100644
--- a/src/content/cre/getting-started/before-you-build-go.mdx
+++ b/src/content/cre/getting-started/before-you-build-go.mdx
@@ -56,8 +56,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
-1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
+1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/before-you-build-ts.mdx b/src/content/cre/getting-started/before-you-build-ts.mdx
index 01cf2e63c90..c322b79677c 100644
--- a/src/content/cre/getting-started/before-you-build-ts.mdx
+++ b/src/content/cre/getting-started/before-you-build-ts.mdx
@@ -122,8 +122,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
-1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
+1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/part-1-project-setup-go.mdx b/src/content/cre/getting-started/part-1-project-setup-go.mdx
index 0e0bfc78622..d70935a9e87 100644
--- a/src/content/cre/getting-started/part-1-project-setup-go.mdx
+++ b/src/content/cre/getting-started/part-1-project-setup-go.mdx
@@ -34,7 +34,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Go**: You must have Go version 1.25.3 or higher installed. Check your version with faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
diff --git a/src/content/cre/getting-started/part-1-project-setup-ts.mdx b/src/content/cre/getting-started/part-1-project-setup-ts.mdx
index fdb7e6e3546..fe05c56722d 100644
--- a/src/content/cre/getting-started/part-1-project-setup-ts.mdx
+++ b/src/content/cre/getting-started/part-1-project-setup-ts.mdx
@@ -34,7 +34,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Bun**: You must have Bun version 1.2.21 or higher installed. Check your version with faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
diff --git a/src/content/cre/guides/operations/activating-pausing-workflows.mdx b/src/content/cre/guides/operations/activating-pausing-workflows.mdx
index 7d30817d2d0..037c2be35a7 100644
--- a/src/content/cre/guides/operations/activating-pausing-workflows.mdx
+++ b/src/content/cre/guides/operations/activating-pausing-workflows.mdx
@@ -10,7 +10,7 @@ metadata:
import { Aside } from "@components"
-After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the Workflow Registry contract, determining whether it can respond to triggers.
+After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the registry selected by `deployment-registry`, determining whether it can respond to triggers.
**Workflow states:**
@@ -21,11 +21,12 @@ After deploying a workflow, you can control its operational state using the `cre
Before activating or pausing workflows, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can activate or pause it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -46,15 +47,16 @@ cre workflow activate my-workflow --target production-settings
The CLI identifies which workflow to activate based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during activation
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
1. It validates that the workflow is currently paused
-1. If valid, it sends an onchain transaction to change the status to active
+1. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow activate my-workflow --target production-settings
@@ -114,11 +116,11 @@ cre workflow pause my-workflow --target production-settings
### What happens during pausing
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
1. It validates that the workflow is currently active
-1. If valid, it sends an onchain transaction to change the status to paused
+1. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow pause my-workflow --target production-settings
@@ -162,7 +164,7 @@ Details:
## Using multi-sig wallets
-Both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
diff --git a/src/content/cre/guides/operations/deleting-workflows.mdx b/src/content/cre/guides/operations/deleting-workflows.mdx
index 826b3a69070..8446e5be519 100644
--- a/src/content/cre/guides/operations/deleting-workflows.mdx
+++ b/src/content/cre/guides/operations/deleting-workflows.mdx
@@ -3,24 +3,25 @@ section: cre
date: Last Modified
title: "Deleting Workflows"
metadata:
- description: "Remove workflows permanently: learn how to safely delete deployed workflows from the Workflow Registry when no longer needed."
+ description: "Remove workflows permanently: learn how to safely delete deployed workflows from their configured registry when no longer needed."
datePublished: "2025-11-04"
lastModified: "2025-11-04"
---
import { Aside } from "@components"
-Deleting a workflow permanently removes it from the Workflow Registry contract. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
+Deleting a workflow permanently removes it from the registry selected by `deployment-registry`. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
## Prerequisites
Before deleting a workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can delete it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -33,21 +34,22 @@ cre workflow delete my-workflow --target production-settings
The CLI identifies which workflow to delete based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during deletion
-1. The CLI fetches all workflows matching your workflow name and owner address
+1. The CLI fetches all workflows matching your workflow name and configured registry authorization
1. It displays details about the workflow(s) to be deleted
1. It prompts you to confirm by typing the workflow name
-1. Once confirmed, it sends an onchain transaction to delete the workflow from the Workflow Registry
+1. Once confirmed, it deletes the workflow from the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
{/* prettier-ignore */}
- **This action cannot be undone.** Once a workflow is deleted from the Workflow Registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
+ **This action cannot be undone.** Once a workflow is deleted from its configured registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
-### Example output
+### Example onchain registry output
```bash
> cre workflow delete my-workflow --target production-settings
@@ -105,7 +107,7 @@ cre workflow delete my-workflow --yes --target production-settings
## Using multi-sig wallets
-The `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
diff --git a/src/content/cre/guides/operations/deploying-workflows.mdx b/src/content/cre/guides/operations/deploying-workflows.mdx
index 0691a43079a..6fec455e5b1 100644
--- a/src/content/cre/guides/operations/deploying-workflows.mdx
+++ b/src/content/cre/guides/operations/deploying-workflows.mdx
@@ -19,20 +19,48 @@ import { Aside } from "@components"
{/* prettier-ignore */}
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+ Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
+ `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
+ field when you want a different registry, such as the public onchain Workflow Registry.
+
+Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
+
+```text
+Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+Run "cre registry list" to see your available registries.
+```
+
+Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
```yaml
user-workflow:
workflow-name: "my-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet"
+ deployment-registry: "private"
```
-See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+
+- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+
+This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+
+{/* prettier-ignore */}
+
+ A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+
## Prerequisites
@@ -40,8 +68,9 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
-- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
+- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
## Choosing your registry
@@ -58,24 +87,28 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-### Control plane: web3 key vs. auth-only
+### Private vs. public workflow management
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
+| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
+| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
+| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
-- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
### Managing with a web3 key
@@ -88,13 +121,106 @@ Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
### Managing with auth only
-Use this flow when `deployment-registry: "private"` (the default):
+Use this flow when `deployment-registry: "private"`:
1. Log in once with `cre login`.
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+
+## Migrate an existing workflow
+
+CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
+
+### Who is affected
+
+You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+After upgrading, the CLI reports the missing field and points to the target that needs the update:
+
+```text
+Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+Run "cre registry list" to see your available registries.
+```
+
+Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
+
+### Step 1: List available registries
+
+Log in, then list the registries available to your organization:
+
+```bash
+cre login
+cre registry list
+```
+
+Use the `ID` value from the output in `workflow.yaml`.
+
+### Step 2: Choose public or private workflow management
+
+Choose the registry that matches how you want to manage the workflow:
+
+- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
+- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
+
+The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
+
+### Step 3: Update affected targets
+
+Add `deployment-registry` under `user-workflow` for each target that is missing it.
+
+**Keep an existing workflow on the public onchain registry:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+**Use the private registry for workflow management:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+Repeat this for `production-settings` and any other target that needs migration.
+
+### Step 4: Re-run the command
+
+After the YAML is updated, rerun the command that failed:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
## The deployment process
@@ -104,7 +230,7 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
1. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
1. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
+ - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
{/* prettier-ignore */}
@@ -113,9 +239,9 @@ Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` is required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
-If you are deploying from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
@@ -150,7 +276,9 @@ cre workflow deploy my-workflow --target production-settings
### Step 3: Monitor the output
-The CLI will provide detailed logs of the deployment process, including the compilation, upload to the CRE Storage Service, and the final onchain transaction.
+The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
+
+**Example onchain registry output:**
```bash
> cre workflow deploy my-workflow --target production-settings
@@ -211,6 +339,37 @@ Details:
Config URL: https://storage.cre.example.com/artifacts//config
```
+**Example private/offchain registry output:**
+
+```bash
+> cre workflow deploy my-workflow --target staging-settings
+
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
## Verifying your deployment
After a successful deployment, you can verify that your workflow was registered correctly:
@@ -219,7 +378,7 @@ After a successful deployment, you can verify that your workflow was registered
1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-1. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+1. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
diff --git a/src/content/cre/guides/operations/updating-deployed-workflows.mdx b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
index d3ce1a4b47c..05c586e27f5 100644
--- a/src/content/cre/guides/operations/updating-deployed-workflows.mdx
+++ b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
@@ -10,7 +10,7 @@ metadata:
import { Aside } from "@components"
-When you update a deployed workflow, you redeploy it with the same workflow name. The new deployment replaces the previous version in the Workflow Registry contract. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
+When you update a deployed workflow, you redeploy it with the same workflow name and the same `deployment-registry` target. The new deployment replaces the previous version in that registry. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
{/* prettier-ignore */}
@@ -21,11 +21,12 @@ When you update a deployed workflow, you redeploy it with the same workflow name
Before updating a deployed workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can update it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -39,7 +40,7 @@ cre workflow deploy my-workflow --target production-settings
1. **Compilation**: Your updated workflow code is compiled to WASM
1. **Upload**: The new binary and configuration files are uploaded to the CRE Storage Service
-1. **Registration**: A new registration transaction is sent to the Workflow Registry contract
+1. **Registration**: The new workflow version is registered with the target's configured registry. For `onchain:ethereum-mainnet`, this sends a transaction to the Workflow Registry contract. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
1. **Replacement**: The previous version is replaced with the new deployment
1. **Status preserved**: The workflow's status (active or paused) is preserved from the previous deployment
@@ -62,7 +63,7 @@ cre workflow deploy my-workflow --target production-settings
## Using multi-sig wallets
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
diff --git a/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx b/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
index d2a44add811..52a91e8b010 100644
--- a/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
+++ b/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
@@ -25,19 +25,19 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
1. **Authentication**: You must be logged in with `cre login`
-1. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+1. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the onchain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
## Auth modes: web3 key vs. browser auth
-`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
-- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+- **Web3-keyed.** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry, or when your team manages secrets at the organization level rather than per-wallet.
You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
```bash
-# Web3-keyed (on-chain registry)
+# Web3-keyed (onchain registry)
cre secrets create production-secrets.yaml --target production-settings
# Browser auth (private registry / org-owned)
diff --git a/src/content/cre/key-terms.mdx b/src/content/cre/key-terms.mdx
index e0142d2eee1..78a4bec8eff 100644
--- a/src/content/cre/key-terms.mdx
+++ b/src/content/cre/key-terms.mdx
@@ -26,11 +26,25 @@ A decentralized, peer-to-peer network of independent nodes that work together to
How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
-- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+### Public workflow
+
+A workflow whose lifecycle is managed through the public onchain Workflow Registry. In `workflow.yaml`, this is selected with `deployment-registry: "onchain:ethereum-mainnet"`.
+
+### Private workflow
+
+A workflow whose lifecycle is managed through the Chainlink-hosted private registry. In `workflow.yaml`, this is selected with `deployment-registry: "private"`. Private workflow management is centralized and offchain.
+
+Private does not mean confidential. A private workflow uses a private registry for management, but its execution is not confidential unless it explicitly uses a confidential execution feature or capability.
+
+### Confidential workflow or confidential execution
+
+Execution that uses a confidential runtime, TEE, enclave, or confidential capability to protect data during execution. This is separate from registry selection. Confidential execution does not require the private registry, and a workflow can use confidential execution while still being managed through the public onchain registry.
+
## Workflow architecture
### Workflow
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index b78a11f6631..fc8897eb6b2 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -167,11 +167,25 @@ A decentralized, peer-to-peer network of independent nodes that work together to
How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
-- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+### Public workflow
+
+A workflow whose lifecycle is managed through the public onchain Workflow Registry. In `workflow.yaml`, this is selected with `deployment-registry: "onchain:ethereum-mainnet"`.
+
+### Private workflow
+
+A workflow whose lifecycle is managed through the Chainlink-hosted private registry. In `workflow.yaml`, this is selected with `deployment-registry: "private"`. Private workflow management is centralized and offchain.
+
+Private does not mean confidential. A private workflow uses a private registry for management, but its execution is not confidential unless it explicitly uses a confidential execution feature or capability.
+
+### Confidential workflow or confidential execution
+
+Execution that uses a confidential runtime, TEE, enclave, or confidential capability to protect data during execution. This is separate from registry selection. Confidential execution does not require the private registry, and a workflow can use confidential execution while still being managed through the public onchain registry.
+
## Workflow architecture
### Workflow
@@ -461,13 +475,26 @@ Last Updated: 2026-04-24
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v2.0.0 - Upcoming
+
+The next major CRE CLI release updates workflow configuration behavior for private registry deployments.
+
+- **Private registry by default for generated workflows**: New workflow targets generated by CRE CLI v2.0.0 include `deployment-registry: "private"` under `user-workflow`, so new deployments use the Chainlink-hosted private registry unless you choose another registry.
+- **Existing onchain workflows should pin the onchain registry**: Existing users whose workflows were deployed through the public onchain Workflow Registry should add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before redeploying or updating. This keeps those workflows on the public onchain registry instead of moving management to the private registry.
+- **Migration error for older workflow files**: Existing `workflow.yaml` files created before `deployment-registry` existed may fail after upgrade with a clear error such as `"deployment-registry" is required in target "staging-settings"`. Existing deployed workflows continue running, but redeploy and workflow-management commands may require the config update. Use `deployment-registry: "private"` for Chainlink-hosted private registry management. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When CLI v2.0.0 is available, the CLI will detect the newer version and prompt you to update. Run `cre update` to install it.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
## CLI v1.13.0 - April 28, 2026
**CRE CLI version 1.13.0 is now available.**
-- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the onchain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
-- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the onchain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
**How to update:**
@@ -4743,19 +4770,19 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
2. **Authentication**: You must be logged in with `cre login`
-3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the onchain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
## Auth modes: web3 key vs. browser auth
-`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
-- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+- **Web3-keyed.** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry, or when your team manages secrets at the organization level rather than per-wallet.
You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
```bash
-# Web3-keyed (on-chain registry)
+# Web3-keyed (onchain registry)
cre secrets create production-secrets.yaml --target production-settings
# Browser auth (private registry / org-owned)
@@ -5793,19 +5820,47 @@ Last Updated: 2026-03-17
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+ Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
+ `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
+ field when you want a different registry, such as the public onchain Workflow Registry.
+
+ Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
+
+ ```text
+ Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+ Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+ Run "cre registry list" to see your available registries.
+ ```
+
+ Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
```yaml
user-workflow:
workflow-name: "my-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet"
+ deployment-registry: "private"
```
- See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+ See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+
+- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+
+This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+
+
+
+ A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+
## Prerequisites
@@ -5813,8 +5868,9 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
-- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
+- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
## Choosing your registry
@@ -5831,24 +5887,28 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-### Control plane: web3 key vs. auth-only
+### Private vs. public workflow management
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
+| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
+| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
+| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
-- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
### Managing with a web3 key
@@ -5861,13 +5921,106 @@ Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
### Managing with auth only
-Use this flow when `deployment-registry: "private"` (the default):
+Use this flow when `deployment-registry: "private"`:
1. Log in once with `cre login`.
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+
+## Migrate an existing workflow
+
+CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
+
+### Who is affected
+
+You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+After upgrading, the CLI reports the missing field and points to the target that needs the update:
+
+```text
+Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+Run "cre registry list" to see your available registries.
+```
+
+Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
+
+### Step 1: List available registries
+
+Log in, then list the registries available to your organization:
+
+```bash
+cre login
+cre registry list
+```
+
+Use the `ID` value from the output in `workflow.yaml`.
+
+### Step 2: Choose public or private workflow management
+
+Choose the registry that matches how you want to manage the workflow:
+
+- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
+- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
+
+The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
+
+### Step 3: Update affected targets
+
+Add `deployment-registry` under `user-workflow` for each target that is missing it.
+
+**Keep an existing workflow on the public onchain registry:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+**Use the private registry for workflow management:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+Repeat this for `production-settings` and any other target that needs migration.
+
+### Step 4: Re-run the command
+
+After the YAML is updated, rerun the command that failed:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
## The deployment process
@@ -5877,7 +6030,7 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
+ - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
@@ -5886,9 +6039,9 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` is required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
-If you are deploying from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
@@ -5923,7 +6076,9 @@ cre workflow deploy my-workflow --target production-settings
### Step 3: Monitor the output
-The CLI will provide detailed logs of the deployment process, including the compilation, upload to the CRE Storage Service, and the final onchain transaction.
+The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
+
+**Example onchain registry output:**
```bash
> cre workflow deploy my-workflow --target production-settings
@@ -5984,6 +6139,37 @@ Details:
Config URL: https://storage.cre.example.com/artifacts//config
```
+**Example private/offchain registry output:**
+
+```bash
+> cre workflow deploy my-workflow --target staging-settings
+
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
## Verifying your deployment
After a successful deployment, you can verify that your workflow was registered correctly:
@@ -5992,7 +6178,7 @@ After a successful deployment, you can verify that your workflow was registered
2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-3. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+3. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
@@ -6092,7 +6278,7 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
-After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the Workflow Registry contract, determining whether it can respond to triggers.
+After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the registry selected by `deployment-registry`, determining whether it can respond to triggers.
**Workflow states:**
@@ -6103,11 +6289,12 @@ After deploying a workflow, you can control its operational state using the `cre
Before activating or pausing workflows, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can activate or pause it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -6128,15 +6315,16 @@ cre workflow activate my-workflow --target production-settings
The CLI identifies which workflow to activate based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during activation
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
2. It validates that the workflow is currently paused
-3. If valid, it sends an onchain transaction to change the status to active
+3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow activate my-workflow --target production-settings
@@ -6196,11 +6384,11 @@ cre workflow pause my-workflow --target production-settings
### What happens during pausing
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
2. It validates that the workflow is currently active
-3. If valid, it sends an onchain transaction to change the status to paused
+3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow pause my-workflow --target production-settings
@@ -6244,7 +6432,7 @@ Details:
## Using multi-sig wallets
-Both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -6261,7 +6449,7 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/updating-deployed-workflows
Last Updated: 2026-01-23
-When you update a deployed workflow, you redeploy it with the same workflow name. The new deployment replaces the previous version in the Workflow Registry contract. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
+When you update a deployed workflow, you redeploy it with the same workflow name and the same `deployment-registry` target. The new deployment replaces the previous version in that registry. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
@@ -6272,11 +6460,12 @@ When you update a deployed workflow, you redeploy it with the same workflow name
Before updating a deployed workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can update it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -6290,7 +6479,7 @@ cre workflow deploy my-workflow --target production-settings
1. **Compilation**: Your updated workflow code is compiled to WASM
2. **Upload**: The new binary and configuration files are uploaded to the CRE Storage Service
-3. **Registration**: A new registration transaction is sent to the Workflow Registry contract
+3. **Registration**: The new workflow version is registered with the target's configured registry. For `onchain:ethereum-mainnet`, this sends a transaction to the Workflow Registry contract. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
4. **Replacement**: The previous version is replaced with the new deployment
5. **Status preserved**: The workflow's status (active or paused) is preserved from the previous deployment
@@ -6313,7 +6502,7 @@ cre workflow deploy my-workflow --target production-settings
## Using multi-sig wallets
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -6329,17 +6518,18 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/deleting-workflows
Last Updated: 2025-11-04
-Deleting a workflow permanently removes it from the Workflow Registry contract. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
+Deleting a workflow permanently removes it from the registry selected by `deployment-registry`. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
## Prerequisites
Before deleting a workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can delete it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -6352,21 +6542,22 @@ cre workflow delete my-workflow --target production-settings
The CLI identifies which workflow to delete based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during deletion
-1. The CLI fetches all workflows matching your workflow name and owner address
+1. The CLI fetches all workflows matching your workflow name and configured registry authorization
2. It displays details about the workflow(s) to be deleted
3. It prompts you to confirm by typing the workflow name
-4. Once confirmed, it sends an onchain transaction to delete the workflow from the Workflow Registry
+4. Once confirmed, it deletes the workflow from the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
- **This action cannot be undone.** Once a workflow is deleted from the Workflow Registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
+ **This action cannot be undone.** Once a workflow is deleted from its configured registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
-### Example output
+### Example onchain registry output
```bash
> cre workflow delete my-workflow --target production-settings
@@ -6424,7 +6615,7 @@ cre workflow delete my-workflow --yes --target production-settings
## Using multi-sig wallets
-The `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -7501,16 +7692,18 @@ CRE uses a simple role-based access control system with two roles:
Source: https://docs.chain.link/cre/organization/linking-keys
Last Updated: 2025-11-04
-Before you can deploy workflows, you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages all CRE workflows—associating it with your organization and allowing you to deploy and manage workflows.
+Before you can deploy workflows to the public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`), you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages public CRE workflows—associating it with your organization and allowing you to deploy and manage workflows through the onchain registry.
+
+Private registry workflows (`deployment-registry: "private"`) do not require key linking. They are managed with your CRE login session.
## What is key linking?
-Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the Workflow Registry.
+Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the public onchain Workflow Registry.
**Key benefits:**
- Multiple team members can link their own addresses to the same organization
-- Each linked address can independently deploy and manage workflows
+- Each linked address can independently deploy and manage public onchain registry workflows
- Addresses are labeled for easy identification (e.g., "Production Wallet", "Dev Wallet")
- All linked addresses are visible to organization members via cre account list-key
@@ -7543,7 +7736,7 @@ Before linking a key, ensure you have:
## Linking your first key
-The easiest way to link a key is to let the deployment process handle it automatically. When you first try to [deploy a workflow](/cre/guides/operations/deploying-workflows), the CLI will detect that your address isn't linked and prompt you to link it.
+The easiest way to link a key is to let the deployment process handle it automatically. When you first try to [deploy a workflow](/cre/guides/operations/deploying-workflows) with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI will detect that your address isn't linked and prompt you to link it.
### Automatic linking during deployment
@@ -7625,7 +7818,7 @@ View on explorer: https://etherscan.io/tx/
[OK] web3 address linked to your CRE organization successfully
-→ You can now deploy workflows using this address
+→ You can now deploy public onchain registry workflows using this address
```
## Viewing linked keys
@@ -7769,7 +7962,7 @@ When you run `cre account unlink-key --unsigned` while logged into your CRE orga
Starting unlinking: owner=0x....
✔ Yes
Contract address validation passed
- --unsigned flag detected: transaction not sent on-chain.
+ --unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership unlinking initialized successfully!
@@ -7849,7 +8042,7 @@ Checking existing registrations...
✓ No existing link found for this address
Starting linking: owner=, label=SafeWallet
Contract address validation passed
---unsigned flag detected: transaction not sent on-chain.
+--unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership linking initialized successfully!
@@ -8379,7 +8572,7 @@ Initialize projects and generate contract bindings (Go only).
Manage your linked public key addresses and deployment access.
- **`cre account access`** — Check deployment access status or submit an Early Access request
-- **`cre account link-key`** — Link a public key address to your account
+- **`cre account link-key`** — Link a public key address for public onchain registry operations
- **`cre account list-key`** — List workflow owners linked to your organization
- **`cre account unlink-key`** — Unlink a public key address from your account
@@ -8393,11 +8586,11 @@ Manage workflows throughout their entire lifecycle.
- **`cre workflow build`** — Compile a workflow to a WASM binary (without uploading or deploying)
- **`cre workflow simulate`** — Compile and execute workflows in a local simulation environment
-- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the onchain workflow ID)
-- **`cre workflow deploy`** — Deploy a workflow to the Workflow Registry contract
-- **`cre workflow activate`** — Activate a workflow on the Workflow Registry contract
-- **`cre workflow pause`** — Pause a workflow on the Workflow Registry contract
-- **`cre workflow delete`** — Delete all versions of a workflow from the Workflow Registry
+- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the workflow ID)
+- **`cre workflow deploy`** — Deploy a workflow to the registry selected by `deployment-registry`
+- **`cre workflow activate`** — Activate a workflow in its configured registry
+- **`cre workflow pause`** — Pause a workflow in its configured registry
+- **`cre workflow delete`** — Delete all versions of a workflow from its configured registry
- **`cre workflow custom-build`** — Convert a workflow to use a custom self-compiled WASM build
[View workflow commands →](/cre/reference/cli/workflow)
@@ -8421,7 +8614,7 @@ Manage secrets stored in the Vault DON for use in your workflows.
Inspect the workflow registries available to your organization. A workflow registry is the system that tracks which workflows are registered to your organization and makes them available to the Chainlink DON for execution.
-- **`cre registry list`** — Display the registries configured for your organization, including type and on-chain address
+- **`cre registry list`** — Display the registries configured for your organization, including type and onchain address
[View registry commands →](/cre/reference/cli/registry)
@@ -8613,7 +8806,7 @@ PRODUCTION:
Source: https://docs.chain.link/cre/reference/cli/account
Last Updated: 2026-02-26
-The `cre account` commands manage your linked public key addresses for workflow operations. These commands allow you to link wallet addresses to your CRE account, list linked addresses, and unlink them when needed.
+The `cre account` commands manage linked public key addresses for public onchain registry workflows. Private registry workflows do not require linked keys; they use your CRE login session for workflow management.
@@ -8673,7 +8866,7 @@ Our team will review your request and get back to you via email shortly.
in with the CLI](/cre/account/cli-login) for further details.
-Links a public key address to your account for workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
+Links a public key address to your account for public onchain registry workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
For a complete step-by-step guide with examples, see [Linking Wallet Keys](/cre/organization/linking-keys).
@@ -8950,7 +9143,7 @@ cre workflow simulate [flags]
in with the CLI](/cre/account/cli-login) for further details.
-Deploys a workflow to the Workflow Registry — the onchain contract where workflows are enrolled so the Chainlink DON knows they exist and should run them. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and submits a registration transaction to the registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registry your organization is configured to use.
+Deploys a workflow to the registry selected by `user-workflow.deployment-registry` in `workflow.yaml`. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with either the public onchain Workflow Registry or the Chainlink-hosted private registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registries your organization can use.
**Usage:**
@@ -8970,7 +9163,7 @@ cre workflow deploy [flags]
| `--wasm` | Path to a pre-built WASM binary (skips compilation). Use with [`cre workflow build`](#cre-workflow-build) for CI/CD pipelines |
| `--config` | Override the config file path from `workflow.yaml` |
| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
| `--yes` | Skip the confirmation prompt and proceed with the operation |
| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
@@ -9013,7 +9206,7 @@ For more details, see [Deploying Workflows](/cre/guides/operations/deploying-wor
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to active on the Workflow Registry contract. Active workflows can respond to their configured triggers.
+Changes the workflow status to active in the registry selected by `deployment-registry`. Active workflows can respond to their configured triggers.
**Usage:**
@@ -9027,10 +9220,10 @@ cre workflow activate [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -9048,7 +9241,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to paused on the Workflow Registry contract. Paused workflows will not respond to triggers.
+Changes the workflow status to paused in the registry selected by `deployment-registry`. Paused workflows will not respond to triggers.
**Usage:**
@@ -9062,10 +9255,10 @@ cre workflow pause [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -9088,7 +9281,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Deletes a workflow from the Workflow Registry.
+Deletes a workflow from the registry selected by `deployment-registry`.
**Usage:**
@@ -9102,10 +9295,10 @@ cre workflow delete [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -9337,7 +9530,12 @@ The `cre registry` commands let you view and inspect the workflow registries ava
## What is a workflow registry?
-A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. The standard registry is a smart contract on Ethereum Mainnet — when you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs, and the DON reads from it to discover and execute your workflow.
+A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. CRE supports a public onchain registry and a private Chainlink-hosted registry.
+
+- **Public/onchain registry**: A smart contract on Ethereum Mainnet. When you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs.
+- **Private registry**: A centralized, offchain registry hosted by Chainlink. Workflow management is authorized by your CRE login session instead of a linked wallet key.
+
+Private registry management is a control-plane choice. It does not make workflow execution confidential, and confidential execution does not require the private registry.
When you log in with `cre login`, the CLI fetches your organization's registry configuration from the CRE platform and caches it locally in `~/.cre/context.yaml`. `cre registry list` reads from that cache and shows which registries your organization has access to.
@@ -9353,7 +9551,7 @@ When you log in with `cre login`, the CLI fetches your organization's registry c
## `cre registry list`
-Displays the workflow registries configured for your organization, including each registry's label, ID, type, and on-chain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
+Displays the workflow registries configured for your organization, including each registry's label, ID, type, and onchain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
**Usage:**
@@ -9368,15 +9566,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
-The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
@@ -9401,9 +9599,9 @@ The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized
## Auth modes
-`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two authorization modes, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Web3-keyed.** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
@@ -9447,8 +9645,8 @@ Secrets are organized into **namespaces**, which act as logical groupings (e.g.,
- You must be logged in with `cre login` (interactive login required; API keys are not supported for secrets operations)
- - Your `workflow-owner-address` must be configured in your project (not required when `CRE_CLI_SECRETS_ORG_OWNED=true`)
- - **Production CRE:** only **linked workflow owner** vault authorization is supported for these commands. See ([Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed))
+ - Your `workflow-owner-address` must be configured in your project for web3-keyed/onchain registry flows. It is not required for browser-auth private registry flows or when `CRE_CLI_SECRETS_ORG_OWNED=true`.
+ - If browser auth is not enabled for your CRE environment, use the web3-keyed flow with a linked workflow owner address. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed).
- For comprehensive guides on using secrets, see [Managing Secrets](/cre/guides/workflow/secrets)
@@ -10284,8 +10482,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
-2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
+2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10434,7 +10632,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Go**: You must have Go version 1.25.3 or higher installed. Check your version with go version. See [Install Go](https://go.dev/doc/install) for instructions.
-- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
@@ -16367,11 +16565,11 @@ myProject/
│ ├── abi/ # Contract ABI files (.abi JSON format)
│ └── generated/ # Auto-generated Go bindings
├── workflow1/
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.go # Your workflow code
│ └── …
├── workflow2/
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.go # Your workflow code
│ └── …
└── …
@@ -16379,7 +16577,7 @@ myProject/
- `go.mod` / `go.sum`: **Go module definition** and dependency management for the entire project.
- `project.yaml`: **Global settings**, shared by every workflow in the project.
-- `workflow.yaml`: **Local settings** for a single workflow. Add this file only when the workflow needs overrides.
+- `workflow.yaml`: **Local settings** for a single workflow. Define each target's `workflow-name`, `deployment-registry`, workflow artifacts, and any workflow-specific overrides here.
- `secrets.yaml`: **Secret declarations**, a manifest of logical secret names used across the project.
- `contracts/evm/src/abi/`: **Contract ABIs**, where you place `.abi` JSON files for contract binding generation.
- `contracts/evm/src/generated/`: **Generated Go bindings**, automatically created by the CRE CLI from your ABI files using `cre generate-bindings`.
@@ -16446,12 +16644,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
- If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
- "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
- deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
- Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+ Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
+ `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
+ required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
+ continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
+ for the migration path.
```yaml
@@ -16459,7 +16657,7 @@ Variable values are resolved from environment variables at runtime. This works a
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
+ deployment-registry: "private" # Private, centralized, offchain registry management.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -16469,7 +16667,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
+ deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -16478,18 +16676,19 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
- Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
- can optionally override project-level settings (like `workflow-owner-address`) for specific workflows.
+ To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
+ `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
+ project-level settings (like `workflow-owner-address`) for specific workflows.
### 3.3. Secrets configuration (`secrets.yaml`)
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index d0b97c32b50..5e568d8bd63 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -167,11 +167,25 @@ A decentralized, peer-to-peer network of independent nodes that work together to
How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
-- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+### Public workflow
+
+A workflow whose lifecycle is managed through the public onchain Workflow Registry. In `workflow.yaml`, this is selected with `deployment-registry: "onchain:ethereum-mainnet"`.
+
+### Private workflow
+
+A workflow whose lifecycle is managed through the Chainlink-hosted private registry. In `workflow.yaml`, this is selected with `deployment-registry: "private"`. Private workflow management is centralized and offchain.
+
+Private does not mean confidential. A private workflow uses a private registry for management, but its execution is not confidential unless it explicitly uses a confidential execution feature or capability.
+
+### Confidential workflow or confidential execution
+
+Execution that uses a confidential runtime, TEE, enclave, or confidential capability to protect data during execution. This is separate from registry selection. Confidential execution does not require the private registry, and a workflow can use confidential execution while still being managed through the public onchain registry.
+
## Workflow architecture
### Workflow
@@ -461,13 +475,26 @@ Last Updated: 2026-04-24
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v2.0.0 - Upcoming
+
+The next major CRE CLI release updates workflow configuration behavior for private registry deployments.
+
+- **Private registry by default for generated workflows**: New workflow targets generated by CRE CLI v2.0.0 include `deployment-registry: "private"` under `user-workflow`, so new deployments use the Chainlink-hosted private registry unless you choose another registry.
+- **Existing onchain workflows should pin the onchain registry**: Existing users whose workflows were deployed through the public onchain Workflow Registry should add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before redeploying or updating. This keeps those workflows on the public onchain registry instead of moving management to the private registry.
+- **Migration error for older workflow files**: Existing `workflow.yaml` files created before `deployment-registry` existed may fail after upgrade with a clear error such as `"deployment-registry" is required in target "staging-settings"`. Existing deployed workflows continue running, but redeploy and workflow-management commands may require the config update. Use `deployment-registry: "private"` for Chainlink-hosted private registry management. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When CLI v2.0.0 is available, the CLI will detect the newer version and prompt you to update. Run `cre update` to install it.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
## CLI v1.13.0 - April 28, 2026
**CRE CLI version 1.13.0 is now available.**
-- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the onchain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
-- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the onchain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
**How to update:**
@@ -4063,19 +4090,19 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
2. **Authentication**: You must be logged in with `cre login`
-3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the onchain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
## Auth modes: web3 key vs. browser auth
-`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
-- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+- **Web3-keyed.** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry, or when your team manages secrets at the organization level rather than per-wallet.
You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
```bash
-# Web3-keyed (on-chain registry)
+# Web3-keyed (onchain registry)
cre secrets create production-secrets.yaml --target production-settings
# Browser auth (private registry / org-owned)
@@ -4892,19 +4919,47 @@ Last Updated: 2026-03-17
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+ Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
+ `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
+ field when you want a different registry, such as the public onchain Workflow Registry.
+
+ Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
+
+ ```text
+ Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+ Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+ Run "cre registry list" to see your available registries.
+ ```
+
+ Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
```yaml
user-workflow:
workflow-name: "my-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet"
+ deployment-registry: "private"
```
- See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+ See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+
+- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+
+This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+
+
+
+ A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+
## Prerequisites
@@ -4912,8 +4967,9 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
-- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
+- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
## Choosing your registry
@@ -4930,24 +4986,28 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-### Control plane: web3 key vs. auth-only
+### Private vs. public workflow management
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
+| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
+| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
+| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
-- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
### Managing with a web3 key
@@ -4960,13 +5020,106 @@ Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
### Managing with auth only
-Use this flow when `deployment-registry: "private"` (the default):
+Use this flow when `deployment-registry: "private"`:
1. Log in once with `cre login`.
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+
+## Migrate an existing workflow
+
+CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
+
+### Who is affected
+
+You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+After upgrading, the CLI reports the missing field and points to the target that needs the update:
+
+```text
+Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+Run "cre registry list" to see your available registries.
+```
+
+Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
+
+### Step 1: List available registries
+
+Log in, then list the registries available to your organization:
+
+```bash
+cre login
+cre registry list
+```
+
+Use the `ID` value from the output in `workflow.yaml`.
+
+### Step 2: Choose public or private workflow management
+
+Choose the registry that matches how you want to manage the workflow:
+
+- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
+- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
+
+The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
+
+### Step 3: Update affected targets
+
+Add `deployment-registry` under `user-workflow` for each target that is missing it.
+
+**Keep an existing workflow on the public onchain registry:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+**Use the private registry for workflow management:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+Repeat this for `production-settings` and any other target that needs migration.
+
+### Step 4: Re-run the command
+
+After the YAML is updated, rerun the command that failed:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
## The deployment process
@@ -4976,7 +5129,7 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
+ - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
@@ -4985,9 +5138,9 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` is required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
-If you are deploying from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
@@ -5022,7 +5175,9 @@ cre workflow deploy my-workflow --target production-settings
### Step 3: Monitor the output
-The CLI will provide detailed logs of the deployment process, including the compilation, upload to the CRE Storage Service, and the final onchain transaction.
+The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
+
+**Example onchain registry output:**
```bash
> cre workflow deploy my-workflow --target production-settings
@@ -5083,6 +5238,37 @@ Details:
Config URL: https://storage.cre.example.com/artifacts//config
```
+**Example private/offchain registry output:**
+
+```bash
+> cre workflow deploy my-workflow --target staging-settings
+
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
## Verifying your deployment
After a successful deployment, you can verify that your workflow was registered correctly:
@@ -5091,7 +5277,7 @@ After a successful deployment, you can verify that your workflow was registered
2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-3. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+3. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
@@ -5191,7 +5377,7 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
-After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the Workflow Registry contract, determining whether it can respond to triggers.
+After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the registry selected by `deployment-registry`, determining whether it can respond to triggers.
**Workflow states:**
@@ -5202,11 +5388,12 @@ After deploying a workflow, you can control its operational state using the `cre
Before activating or pausing workflows, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can activate or pause it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -5227,15 +5414,16 @@ cre workflow activate my-workflow --target production-settings
The CLI identifies which workflow to activate based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during activation
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
2. It validates that the workflow is currently paused
-3. If valid, it sends an onchain transaction to change the status to active
+3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow activate my-workflow --target production-settings
@@ -5295,11 +5483,11 @@ cre workflow pause my-workflow --target production-settings
### What happens during pausing
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
2. It validates that the workflow is currently active
-3. If valid, it sends an onchain transaction to change the status to paused
+3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow pause my-workflow --target production-settings
@@ -5343,7 +5531,7 @@ Details:
## Using multi-sig wallets
-Both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -5360,7 +5548,7 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/updating-deployed-workflows
Last Updated: 2026-01-23
-When you update a deployed workflow, you redeploy it with the same workflow name. The new deployment replaces the previous version in the Workflow Registry contract. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
+When you update a deployed workflow, you redeploy it with the same workflow name and the same `deployment-registry` target. The new deployment replaces the previous version in that registry. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
@@ -5371,11 +5559,12 @@ When you update a deployed workflow, you redeploy it with the same workflow name
Before updating a deployed workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can update it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -5389,7 +5578,7 @@ cre workflow deploy my-workflow --target production-settings
1. **Compilation**: Your updated workflow code is compiled to WASM
2. **Upload**: The new binary and configuration files are uploaded to the CRE Storage Service
-3. **Registration**: A new registration transaction is sent to the Workflow Registry contract
+3. **Registration**: The new workflow version is registered with the target's configured registry. For `onchain:ethereum-mainnet`, this sends a transaction to the Workflow Registry contract. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
4. **Replacement**: The previous version is replaced with the new deployment
5. **Status preserved**: The workflow's status (active or paused) is preserved from the previous deployment
@@ -5412,7 +5601,7 @@ cre workflow deploy my-workflow --target production-settings
## Using multi-sig wallets
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -5428,17 +5617,18 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/deleting-workflows
Last Updated: 2025-11-04
-Deleting a workflow permanently removes it from the Workflow Registry contract. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
+Deleting a workflow permanently removes it from the registry selected by `deployment-registry`. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
## Prerequisites
Before deleting a workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can delete it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -5451,21 +5641,22 @@ cre workflow delete my-workflow --target production-settings
The CLI identifies which workflow to delete based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during deletion
-1. The CLI fetches all workflows matching your workflow name and owner address
+1. The CLI fetches all workflows matching your workflow name and configured registry authorization
2. It displays details about the workflow(s) to be deleted
3. It prompts you to confirm by typing the workflow name
-4. Once confirmed, it sends an onchain transaction to delete the workflow from the Workflow Registry
+4. Once confirmed, it deletes the workflow from the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
- **This action cannot be undone.** Once a workflow is deleted from the Workflow Registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
+ **This action cannot be undone.** Once a workflow is deleted from its configured registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
-### Example output
+### Example onchain registry output
```bash
> cre workflow delete my-workflow --target production-settings
@@ -5523,7 +5714,7 @@ cre workflow delete my-workflow --yes --target production-settings
## Using multi-sig wallets
-The `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -7053,16 +7244,18 @@ CRE uses a simple role-based access control system with two roles:
Source: https://docs.chain.link/cre/organization/linking-keys
Last Updated: 2025-11-04
-Before you can deploy workflows, you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages all CRE workflows—associating it with your organization and allowing you to deploy and manage workflows.
+Before you can deploy workflows to the public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`), you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages public CRE workflows—associating it with your organization and allowing you to deploy and manage workflows through the onchain registry.
+
+Private registry workflows (`deployment-registry: "private"`) do not require key linking. They are managed with your CRE login session.
## What is key linking?
-Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the Workflow Registry.
+Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the public onchain Workflow Registry.
**Key benefits:**
- Multiple team members can link their own addresses to the same organization
-- Each linked address can independently deploy and manage workflows
+- Each linked address can independently deploy and manage public onchain registry workflows
- Addresses are labeled for easy identification (e.g., "Production Wallet", "Dev Wallet")
- All linked addresses are visible to organization members via cre account list-key
@@ -7095,7 +7288,7 @@ Before linking a key, ensure you have:
## Linking your first key
-The easiest way to link a key is to let the deployment process handle it automatically. When you first try to [deploy a workflow](/cre/guides/operations/deploying-workflows), the CLI will detect that your address isn't linked and prompt you to link it.
+The easiest way to link a key is to let the deployment process handle it automatically. When you first try to [deploy a workflow](/cre/guides/operations/deploying-workflows) with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI will detect that your address isn't linked and prompt you to link it.
### Automatic linking during deployment
@@ -7177,7 +7370,7 @@ View on explorer: https://etherscan.io/tx/
[OK] web3 address linked to your CRE organization successfully
-→ You can now deploy workflows using this address
+→ You can now deploy public onchain registry workflows using this address
```
## Viewing linked keys
@@ -7321,7 +7514,7 @@ When you run `cre account unlink-key --unsigned` while logged into your CRE orga
Starting unlinking: owner=0x....
✔ Yes
Contract address validation passed
- --unsigned flag detected: transaction not sent on-chain.
+ --unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership unlinking initialized successfully!
@@ -7401,7 +7594,7 @@ Checking existing registrations...
✓ No existing link found for this address
Starting linking: owner=, label=SafeWallet
Contract address validation passed
---unsigned flag detected: transaction not sent on-chain.
+--unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership linking initialized successfully!
@@ -7992,7 +8185,7 @@ Initialize projects and generate contract bindings (Go only).
Manage your linked public key addresses and deployment access.
- **`cre account access`** — Check deployment access status or submit an Early Access request
-- **`cre account link-key`** — Link a public key address to your account
+- **`cre account link-key`** — Link a public key address for public onchain registry operations
- **`cre account list-key`** — List workflow owners linked to your organization
- **`cre account unlink-key`** — Unlink a public key address from your account
@@ -8006,11 +8199,11 @@ Manage workflows throughout their entire lifecycle.
- **`cre workflow build`** — Compile a workflow to a WASM binary (without uploading or deploying)
- **`cre workflow simulate`** — Compile and execute workflows in a local simulation environment
-- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the onchain workflow ID)
-- **`cre workflow deploy`** — Deploy a workflow to the Workflow Registry contract
-- **`cre workflow activate`** — Activate a workflow on the Workflow Registry contract
-- **`cre workflow pause`** — Pause a workflow on the Workflow Registry contract
-- **`cre workflow delete`** — Delete all versions of a workflow from the Workflow Registry
+- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the workflow ID)
+- **`cre workflow deploy`** — Deploy a workflow to the registry selected by `deployment-registry`
+- **`cre workflow activate`** — Activate a workflow in its configured registry
+- **`cre workflow pause`** — Pause a workflow in its configured registry
+- **`cre workflow delete`** — Delete all versions of a workflow from its configured registry
- **`cre workflow custom-build`** — Convert a workflow to use a custom self-compiled WASM build
[View workflow commands →](/cre/reference/cli/workflow)
@@ -8034,7 +8227,7 @@ Manage secrets stored in the Vault DON for use in your workflows.
Inspect the workflow registries available to your organization. A workflow registry is the system that tracks which workflows are registered to your organization and makes them available to the Chainlink DON for execution.
-- **`cre registry list`** — Display the registries configured for your organization, including type and on-chain address
+- **`cre registry list`** — Display the registries configured for your organization, including type and onchain address
[View registry commands →](/cre/reference/cli/registry)
@@ -8226,7 +8419,7 @@ PRODUCTION:
Source: https://docs.chain.link/cre/reference/cli/account
Last Updated: 2026-02-26
-The `cre account` commands manage your linked public key addresses for workflow operations. These commands allow you to link wallet addresses to your CRE account, list linked addresses, and unlink them when needed.
+The `cre account` commands manage linked public key addresses for public onchain registry workflows. Private registry workflows do not require linked keys; they use your CRE login session for workflow management.
@@ -8286,7 +8479,7 @@ Our team will review your request and get back to you via email shortly.
in with the CLI](/cre/account/cli-login) for further details.
-Links a public key address to your account for workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
+Links a public key address to your account for public onchain registry workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
For a complete step-by-step guide with examples, see [Linking Wallet Keys](/cre/organization/linking-keys).
@@ -8563,7 +8756,7 @@ cre workflow simulate [flags]
in with the CLI](/cre/account/cli-login) for further details.
-Deploys a workflow to the Workflow Registry — the onchain contract where workflows are enrolled so the Chainlink DON knows they exist and should run them. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and submits a registration transaction to the registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registry your organization is configured to use.
+Deploys a workflow to the registry selected by `user-workflow.deployment-registry` in `workflow.yaml`. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with either the public onchain Workflow Registry or the Chainlink-hosted private registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registries your organization can use.
**Usage:**
@@ -8583,7 +8776,7 @@ cre workflow deploy [flags]
| `--wasm` | Path to a pre-built WASM binary (skips compilation). Use with [`cre workflow build`](#cre-workflow-build) for CI/CD pipelines |
| `--config` | Override the config file path from `workflow.yaml` |
| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
| `--yes` | Skip the confirmation prompt and proceed with the operation |
| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
@@ -8626,7 +8819,7 @@ For more details, see [Deploying Workflows](/cre/guides/operations/deploying-wor
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to active on the Workflow Registry contract. Active workflows can respond to their configured triggers.
+Changes the workflow status to active in the registry selected by `deployment-registry`. Active workflows can respond to their configured triggers.
**Usage:**
@@ -8640,10 +8833,10 @@ cre workflow activate [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -8661,7 +8854,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to paused on the Workflow Registry contract. Paused workflows will not respond to triggers.
+Changes the workflow status to paused in the registry selected by `deployment-registry`. Paused workflows will not respond to triggers.
**Usage:**
@@ -8675,10 +8868,10 @@ cre workflow pause [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -8701,7 +8894,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Deletes a workflow from the Workflow Registry.
+Deletes a workflow from the registry selected by `deployment-registry`.
**Usage:**
@@ -8715,10 +8908,10 @@ cre workflow delete [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -8950,7 +9143,12 @@ The `cre registry` commands let you view and inspect the workflow registries ava
## What is a workflow registry?
-A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. The standard registry is a smart contract on Ethereum Mainnet — when you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs, and the DON reads from it to discover and execute your workflow.
+A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. CRE supports a public onchain registry and a private Chainlink-hosted registry.
+
+- **Public/onchain registry**: A smart contract on Ethereum Mainnet. When you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs.
+- **Private registry**: A centralized, offchain registry hosted by Chainlink. Workflow management is authorized by your CRE login session instead of a linked wallet key.
+
+Private registry management is a control-plane choice. It does not make workflow execution confidential, and confidential execution does not require the private registry.
When you log in with `cre login`, the CLI fetches your organization's registry configuration from the CRE platform and caches it locally in `~/.cre/context.yaml`. `cre registry list` reads from that cache and shows which registries your organization has access to.
@@ -8966,7 +9164,7 @@ When you log in with `cre login`, the CLI fetches your organization's registry c
## `cre registry list`
-Displays the workflow registries configured for your organization, including each registry's label, ID, type, and on-chain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
+Displays the workflow registries configured for your organization, including each registry's label, ID, type, and onchain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
**Usage:**
@@ -8981,15 +9179,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
-The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
@@ -9014,9 +9212,9 @@ The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized
## Auth modes
-`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two authorization modes, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Web3-keyed.** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
@@ -9060,8 +9258,8 @@ Secrets are organized into **namespaces**, which act as logical groupings (e.g.,
- You must be logged in with `cre login` (interactive login required; API keys are not supported for secrets operations)
- - Your `workflow-owner-address` must be configured in your project (not required when `CRE_CLI_SECRETS_ORG_OWNED=true`)
- - **Production CRE:** only **linked workflow owner** vault authorization is supported for these commands. See ([Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed))
+ - Your `workflow-owner-address` must be configured in your project for web3-keyed/onchain registry flows. It is not required for browser-auth private registry flows or when `CRE_CLI_SECRETS_ORG_OWNED=true`.
+ - If browser auth is not enabled for your CRE environment, use the web3-keyed flow with a linked workflow owner address. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed).
- For comprehensive guides on using secrets, see [Managing Secrets](/cre/guides/workflow/secrets)
@@ -10177,8 +10375,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
-2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
+2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10327,7 +10525,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Bun**: You must have Bun version 1.2.21 or higher installed. Check your version with bun --version. See [Install Bun](https://bun.com) for instructions.
-- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
@@ -16221,7 +16419,7 @@ myProject/
│ ├── tsconfig.json # TypeScript configuration
│ ├── bun.lock # Dependency lock file
│ ├── node_modules/ # Installed dependencies
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.ts # Your workflow code
│ └── …
├── workflow2/
@@ -16229,14 +16427,14 @@ myProject/
│ ├── tsconfig.json # TypeScript configuration
│ ├── bun.lock # Dependency lock file
│ ├── node_modules/ # Installed dependencies
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.ts # Your workflow code
│ └── …
└── …
```
- `project.yaml`: **Global settings**, shared by every workflow in the project.
-- `workflow.yaml`: **Local settings** for a single workflow. Add this file only when the workflow needs overrides.
+- `workflow.yaml`: **Local settings** for a single workflow. Define each target's `workflow-name`, `deployment-registry`, workflow artifacts, and any workflow-specific overrides here.
- `secrets.yaml`: **Secret declarations**, a manifest of logical secret names used across the project.
- `contracts/abi/`: **TypeScript ABI definitions**, where you place `.ts` files that export contract ABIs using viem's type system. Unlike Go, TypeScript doesn't require generating bindings—ABIs are used directly with viem.
- `package.json` / `tsconfig.json`: **Workflow-specific dependencies and TypeScript configuration**. Each workflow manages its own dependencies independently.
@@ -16304,12 +16502,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
- If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
- "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
- deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
- Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+ Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
+ `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
+ required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
+ continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
+ for the migration path.
```yaml
@@ -16317,7 +16515,7 @@ Variable values are resolved from environment variables at runtime. This works a
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
+ deployment-registry: "private" # Private, centralized, offchain registry management.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -16327,7 +16525,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
+ deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -16336,18 +16534,19 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
- Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
- can optionally override project-level settings (like `workflow-owner-address`) for specific workflows.
+ To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
+ `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
+ project-level settings (like `workflow-owner-address`) for specific workflows.
diff --git a/src/content/cre/organization/linking-keys.mdx b/src/content/cre/organization/linking-keys.mdx
index cf1bd48b878..6a193f7f9f2 100644
--- a/src/content/cre/organization/linking-keys.mdx
+++ b/src/content/cre/organization/linking-keys.mdx
@@ -3,23 +3,25 @@ section: cre
date: Last Modified
title: "Linking Wallet Keys"
metadata:
- description: "Link your wallet to CRE: connect your address to deploy workflows, set up multi-sig wallets, and manage your organization's keys."
+ description: "Link your wallet to CRE: connect your address for public onchain registry workflows, set up multi-sig wallets, and manage your organization's keys."
datePublished: "2025-11-04"
lastModified: "2025-11-04"
---
import { Aside, CopyText } from "@components"
-Before you can deploy workflows, you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages all CRE workflows—associating it with your organization and allowing you to deploy and manage workflows.
+Before you can deploy workflows to the public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`), you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages public CRE workflows—associating it with your organization and allowing you to deploy and manage workflows through the onchain registry.
+
+Private registry workflows (`deployment-registry: "private"`) do not require key linking. They are managed with your CRE login session.
## What is key linking?
-Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the Workflow Registry.
+Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the public onchain Workflow Registry.
**Key benefits:**
- Multiple team members can link their own addresses to the same organization
-- Each linked address can independently deploy and manage workflows
+- Each linked address can independently deploy and manage public onchain registry workflows
- Addresses are labeled for easy identification (e.g., "Production Wallet", "Dev Wallet")
- All linked addresses are visible to organization members via
[OK] web3 address linked to your CRE organization successfully
-→ You can now deploy workflows using this address
+→ You can now deploy public onchain registry workflows using this address
```
## Viewing linked keys
@@ -275,7 +277,7 @@ When you run `cre account unlink-key --unsigned` while logged into your CRE orga
Starting unlinking: owner=0x....
✔ Yes
Contract address validation passed
- --unsigned flag detected: transaction not sent on-chain.
+ --unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership unlinking initialized successfully!
@@ -354,7 +356,7 @@ Checking existing registrations...
✓ No existing link found for this address
Starting linking: owner=, label=SafeWallet
Contract address validation passed
---unsigned flag detected: transaction not sent on-chain.
+--unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership linking initialized successfully!
diff --git a/src/content/cre/reference/cli/account.mdx b/src/content/cre/reference/cli/account.mdx
index 7a78a044449..726da746610 100644
--- a/src/content/cre/reference/cli/account.mdx
+++ b/src/content/cre/reference/cli/account.mdx
@@ -3,14 +3,14 @@ section: cre
date: Last Modified
title: "Account Management"
metadata:
- description: "Manage wallet addresses with CLI: link, unlink, and list keys for deploying workflows to the Workflow Registry."
+ description: "Manage wallet addresses with CLI: link, unlink, and list keys for public onchain registry workflows."
datePublished: "2025-11-04"
lastModified: "2026-02-26"
---
import { Aside } from "@components"
-The `cre account` commands manage your linked public key addresses for workflow operations. These commands allow you to link wallet addresses to your CRE account, list linked addresses, and unlink them when needed.
+The `cre account` commands manage linked public key addresses for public onchain registry workflows. Private registry workflows do not require linked keys; they use your CRE login session for workflow management.
{/* prettier-ignore */}
@@ -70,7 +70,7 @@ Our team will review your request and get back to you via email shortly.
in with the CLI](/cre/account/cli-login) for further details.
-Links a public key address to your account for workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
+Links a public key address to your account for public onchain registry workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
For a complete step-by-step guide with examples, see [Linking Wallet Keys](/cre/organization/linking-keys).
diff --git a/src/content/cre/reference/cli/index.mdx b/src/content/cre/reference/cli/index.mdx
index c2cc38d4311..ec1474eb0f5 100644
--- a/src/content/cre/reference/cli/index.mdx
+++ b/src/content/cre/reference/cli/index.mdx
@@ -64,7 +64,7 @@ Initialize projects and generate contract bindings (Go only).
Manage your linked public key addresses and deployment access.
- **`cre account access`** — Check deployment access status or submit an Early Access request
-- **`cre account link-key`** — Link a public key address to your account
+- **`cre account link-key`** — Link a public key address for public onchain registry operations
- **`cre account list-key`** — List workflow owners linked to your organization
- **`cre account unlink-key`** — Unlink a public key address from your account
@@ -78,11 +78,11 @@ Manage workflows throughout their entire lifecycle.
- **`cre workflow build`** — Compile a workflow to a WASM binary (without uploading or deploying)
- **`cre workflow simulate`** — Compile and execute workflows in a local simulation environment
-- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the onchain workflow ID)
-- **`cre workflow deploy`** — Deploy a workflow to the Workflow Registry contract
-- **`cre workflow activate`** — Activate a workflow on the Workflow Registry contract
-- **`cre workflow pause`** — Pause a workflow on the Workflow Registry contract
-- **`cre workflow delete`** — Delete all versions of a workflow from the Workflow Registry
+- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the workflow ID)
+- **`cre workflow deploy`** — Deploy a workflow to the registry selected by `deployment-registry`
+- **`cre workflow activate`** — Activate a workflow in its configured registry
+- **`cre workflow pause`** — Pause a workflow in its configured registry
+- **`cre workflow delete`** — Delete all versions of a workflow from its configured registry
- **`cre workflow custom-build`** — Convert a workflow to use a custom self-compiled WASM build
[View workflow commands →](/cre/reference/cli/workflow)
@@ -106,7 +106,7 @@ Manage secrets stored in the Vault DON for use in your workflows.
Inspect the workflow registries available to your organization. A workflow registry is the system that tracks which workflows are registered to your organization and makes them available to the Chainlink DON for execution.
-- **`cre registry list`** — Display the registries configured for your organization, including type and on-chain address
+- **`cre registry list`** — Display the registries configured for your organization, including type and onchain address
[View registry commands →](/cre/reference/cli/registry)
diff --git a/src/content/cre/reference/cli/registry.mdx b/src/content/cre/reference/cli/registry.mdx
index 277c393f87d..5004f06f8e2 100644
--- a/src/content/cre/reference/cli/registry.mdx
+++ b/src/content/cre/reference/cli/registry.mdx
@@ -14,7 +14,12 @@ The `cre registry` commands let you view and inspect the workflow registries ava
## What is a workflow registry?
-A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. The standard registry is a smart contract on Ethereum Mainnet — when you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs, and the DON reads from it to discover and execute your workflow.
+A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. CRE supports a public onchain registry and a private Chainlink-hosted registry.
+
+- **Public/onchain registry**: A smart contract on Ethereum Mainnet. When you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs.
+- **Private registry**: A centralized, offchain registry hosted by Chainlink. Workflow management is authorized by your CRE login session instead of a linked wallet key.
+
+Private registry management is a control-plane choice. It does not make workflow execution confidential, and confidential execution does not require the private registry.
When you log in with `cre login`, the CLI fetches your organization's registry configuration from the CRE platform and caches it locally in `~/.cre/context.yaml`. `cre registry list` reads from that cache and shows which registries your organization has access to.
@@ -30,7 +35,7 @@ When you log in with `cre login`, the CLI fetches your organization's registry c
## `cre registry list`
-Displays the workflow registries configured for your organization, including each registry's label, ID, type, and on-chain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
+Displays the workflow registries configured for your organization, including each registry's label, ID, type, and onchain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
**Usage:**
@@ -45,15 +50,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
-The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
diff --git a/src/content/cre/reference/cli/secrets.mdx b/src/content/cre/reference/cli/secrets.mdx
index d5f9b6f2069..0bc5d8f8052 100644
--- a/src/content/cre/reference/cli/secrets.mdx
+++ b/src/content/cre/reference/cli/secrets.mdx
@@ -20,9 +20,9 @@ The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized
## Auth modes
-`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two authorization modes, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Web3-keyed.** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
@@ -66,8 +66,8 @@ Secrets are organized into **namespaces**, which act as logical groupings (e.g.,
{/* prettier-ignore */}
- You must be logged in with `cre login` (interactive login required; API keys are not supported for secrets operations)
- - Your `workflow-owner-address` must be configured in your project (not required when `CRE_CLI_SECRETS_ORG_OWNED=true`)
- - **Production CRE:** only **linked workflow owner** vault authorization is supported for these commands. See ([Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed))
+ - Your `workflow-owner-address` must be configured in your project for web3-keyed/onchain registry flows. It is not required for browser-auth private registry flows or when `CRE_CLI_SECRETS_ORG_OWNED=true`.
+ - If browser auth is not enabled for your CRE environment, use the web3-keyed flow with a linked workflow owner address. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed).
- For comprehensive guides on using secrets, see [Managing Secrets](/cre/guides/workflow/secrets)
diff --git a/src/content/cre/reference/cli/workflow.mdx b/src/content/cre/reference/cli/workflow.mdx
index 80a3f95e01a..b94162dc7fb 100644
--- a/src/content/cre/reference/cli/workflow.mdx
+++ b/src/content/cre/reference/cli/workflow.mdx
@@ -138,7 +138,7 @@ cre workflow simulate [flags]
in with the CLI](/cre/account/cli-login) for further details.
-Deploys a workflow to the Workflow Registry — the onchain contract where workflows are enrolled so the Chainlink DON knows they exist and should run them. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and submits a registration transaction to the registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registry your organization is configured to use.
+Deploys a workflow to the registry selected by `user-workflow.deployment-registry` in `workflow.yaml`. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with either the public onchain Workflow Registry or the Chainlink-hosted private registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registries your organization can use.
**Usage:**
@@ -158,7 +158,7 @@ cre workflow deploy [flags]
| `--wasm` | Path to a pre-built WASM binary (skips compilation). Use with [`cre workflow build`](#cre-workflow-build) for CI/CD pipelines |
| `--config` | Override the config file path from `workflow.yaml` |
| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
| `--yes` | Skip the confirmation prompt and proceed with the operation |
| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
@@ -201,7 +201,7 @@ For more details, see [Deploying Workflows](/cre/guides/operations/deploying-wor
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to active on the Workflow Registry contract. Active workflows can respond to their configured triggers.
+Changes the workflow status to active in the registry selected by `deployment-registry`. Active workflows can respond to their configured triggers.
**Usage:**
@@ -215,10 +215,10 @@ cre workflow activate [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -236,7 +236,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to paused on the Workflow Registry contract. Paused workflows will not respond to triggers.
+Changes the workflow status to paused in the registry selected by `deployment-registry`. Paused workflows will not respond to triggers.
**Usage:**
@@ -250,10 +250,10 @@ cre workflow pause [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -276,7 +276,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Deletes a workflow from the Workflow Registry.
+Deletes a workflow from the registry selected by `deployment-registry`.
**Usage:**
@@ -290,10 +290,10 @@ cre workflow delete [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
diff --git a/src/content/cre/reference/project-configuration-go.mdx b/src/content/cre/reference/project-configuration-go.mdx
index 5affc92515c..3e9e6e480d3 100644
--- a/src/content/cre/reference/project-configuration-go.mdx
+++ b/src/content/cre/reference/project-configuration-go.mdx
@@ -52,11 +52,11 @@ myProject/
│ ├── abi/ # Contract ABI files (.abi JSON format)
│ └── generated/ # Auto-generated Go bindings
├── workflow1/
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.go # Your workflow code
│ └── …
├── workflow2/
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.go # Your workflow code
│ └── …
└── …
@@ -64,7 +64,7 @@ myProject/
- `go.mod` / `go.sum`: **Go module definition** and dependency management for the entire project.
- `project.yaml`: **Global settings**, shared by every workflow in the project.
-- `workflow.yaml`: **Local settings** for a single workflow. Add this file only when the workflow needs overrides.
+- `workflow.yaml`: **Local settings** for a single workflow. Define each target's `workflow-name`, `deployment-registry`, workflow artifacts, and any workflow-specific overrides here.
- `secrets.yaml`: **Secret declarations**, a manifest of logical secret names used across the project.
- `contracts/evm/src/abi/`: **Contract ABIs**, where you place `.abi` JSON files for contract binding generation.
- `contracts/evm/src/generated/`: **Generated Go bindings**, automatically created by the CRE CLI from your ABI files using `cre generate-bindings`.
@@ -131,12 +131,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
- If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
- "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
- deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
- Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+ Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
+ `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
+ required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
+ continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
+ for the migration path.
```yaml
@@ -144,7 +144,7 @@ Variable values are resolved from environment variables at runtime. This works a
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
+ deployment-registry: "private" # Private, centralized, offchain registry management.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -154,7 +154,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
+ deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -163,18 +163,19 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
- Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
- can optionally override project-level settings (like `workflow-owner-address`) for specific workflows.
+ To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
+ `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
+ project-level settings (like `workflow-owner-address`) for specific workflows.
### 3.3. Secrets configuration (`secrets.yaml`)
diff --git a/src/content/cre/reference/project-configuration-ts.mdx b/src/content/cre/reference/project-configuration-ts.mdx
index 72d3866b635..af1bfe798cb 100644
--- a/src/content/cre/reference/project-configuration-ts.mdx
+++ b/src/content/cre/reference/project-configuration-ts.mdx
@@ -53,7 +53,7 @@ myProject/
│ ├── tsconfig.json # TypeScript configuration
│ ├── bun.lock # Dependency lock file
│ ├── node_modules/ # Installed dependencies
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.ts # Your workflow code
│ └── …
├── workflow2/
@@ -61,14 +61,14 @@ myProject/
│ ├── tsconfig.json # TypeScript configuration
│ ├── bun.lock # Dependency lock file
│ ├── node_modules/ # Installed dependencies
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.ts # Your workflow code
│ └── …
└── …
```
- `project.yaml`: **Global settings**, shared by every workflow in the project.
-- `workflow.yaml`: **Local settings** for a single workflow. Add this file only when the workflow needs overrides.
+- `workflow.yaml`: **Local settings** for a single workflow. Define each target's `workflow-name`, `deployment-registry`, workflow artifacts, and any workflow-specific overrides here.
- `secrets.yaml`: **Secret declarations**, a manifest of logical secret names used across the project.
- `contracts/abi/`: **TypeScript ABI definitions**, where you place `.ts` files that export contract ABIs using viem's type system. Unlike Go, TypeScript doesn't require generating bindings—ABIs are used directly with viem.
- `package.json` / `tsconfig.json`: **Workflow-specific dependencies and TypeScript configuration**. Each workflow manages its own dependencies independently.
@@ -136,12 +136,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
- If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
- "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
- deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
- Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+ Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
+ `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
+ required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
+ continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
+ for the migration path.
```yaml
@@ -149,7 +149,7 @@ Variable values are resolved from environment variables at runtime. This works a
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
+ deployment-registry: "private" # Private, centralized, offchain registry management.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -159,7 +159,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
+ deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -168,18 +168,19 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
- Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
- can optionally override project-level settings (like `workflow-owner-address`) for specific workflows.
+ To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
+ `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
+ project-level settings (like `workflow-owner-address`) for specific workflows.
diff --git a/src/content/cre/release-notes.mdx b/src/content/cre/release-notes.mdx
index 9c8007fb657..129d61136ca 100644
--- a/src/content/cre/release-notes.mdx
+++ b/src/content/cre/release-notes.mdx
@@ -12,13 +12,26 @@ import { Aside } from "@components"
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v2.0.0 - Upcoming
+
+The next major CRE CLI release updates workflow configuration behavior for private registry deployments.
+
+- **Private registry by default for generated workflows**: New workflow targets generated by CRE CLI v2.0.0 include `deployment-registry: "private"` under `user-workflow`, so new deployments use the Chainlink-hosted private registry unless you choose another registry.
+- **Existing onchain workflows should pin the onchain registry**: Existing users whose workflows were deployed through the public onchain Workflow Registry should add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before redeploying or updating. This keeps those workflows on the public onchain registry instead of moving management to the private registry.
+- **Migration error for older workflow files**: Existing `workflow.yaml` files created before `deployment-registry` existed may fail after upgrade with a clear error such as `"deployment-registry" is required in target "staging-settings"`. Existing deployed workflows continue running, but redeploy and workflow-management commands may require the config update. Use `deployment-registry: "private"` for Chainlink-hosted private registry management. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When CLI v2.0.0 is available, the CLI will detect the newer version and prompt you to update. Run `cre update` to install it.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
## CLI v1.13.0 - April 28, 2026
**CRE CLI version 1.13.0 is now available.**
-- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the onchain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
-- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the onchain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
**How to update:**
From e593ff36c89c78090c7c31ab71396faf4808a3a3 Mon Sep 17 00:00:00 2001
From: devin distefano
Date: Wed, 6 May 2026 17:41:54 -0500
Subject: [PATCH 3/9] updates
---
src/config/sidebar.ts | 4 +
.../getting-started/before-you-build-go.mdx | 4 +-
.../getting-started/before-you-build-ts.mdx | 4 +-
.../part-1-project-setup-go.mdx | 1 +
.../part-1-project-setup-ts.mdx | 1 +
.../activating-pausing-workflows.mdx | 2 +-
.../guides/operations/deleting-workflows.mdx | 2 +-
.../deploying-to-private-registry.mdx | 290 ++++++++++
.../guides/operations/deploying-workflows.mdx | 136 +----
.../updating-deployed-workflows.mdx | 2 +-
src/content/cre/llms-full-go.txt | 507 ++++++++++++------
src/content/cre/llms-full-ts.txt | 507 ++++++++++++------
.../cre/reference/cli/project-setup-go.mdx | 21 +-
.../cre/reference/cli/project-setup-ts.mdx | 21 +-
src/content/cre/reference/cli/registry.mdx | 6 +-
.../reference/project-configuration-go.mdx | 33 +-
.../reference/project-configuration-ts.mdx | 33 +-
src/content/cre/service-quotas.mdx | 17 +
18 files changed, 1064 insertions(+), 527 deletions(-)
create mode 100644 src/content/cre/guides/operations/deploying-to-private-registry.mdx
diff --git a/src/config/sidebar.ts b/src/config/sidebar.ts
index 47a3e3c5b26..db5c3be77a6 100644
--- a/src/config/sidebar.ts
+++ b/src/config/sidebar.ts
@@ -450,6 +450,10 @@ export const SIDEBAR: Partial> = {
title: "Deploying Workflows",
url: "cre/guides/operations/deploying-workflows",
},
+ {
+ title: "Deploying to the Private Registry",
+ url: "cre/guides/operations/deploying-to-private-registry",
+ },
{
title: "Activating & Pausing Workflows",
url: "cre/guides/operations/activating-pausing-workflows",
diff --git a/src/content/cre/getting-started/before-you-build-go.mdx b/src/content/cre/getting-started/before-you-build-go.mdx
index 4ab8e6db38d..2114f1009f7 100644
--- a/src/content/cre/getting-started/before-you-build-go.mdx
+++ b/src/content/cre/getting-started/before-you-build-go.mdx
@@ -56,8 +56,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
-1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
+1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Required for the default onchain Workflow Registry. Not needed when using `deployment-registry: "private"`.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Optionally set `deployment-registry: "private"` in `workflow.yaml` to use the Chainlink-hosted private registry (no linked key or gas required for registry operations).
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/before-you-build-ts.mdx b/src/content/cre/getting-started/before-you-build-ts.mdx
index c322b79677c..4cd184fff16 100644
--- a/src/content/cre/getting-started/before-you-build-ts.mdx
+++ b/src/content/cre/getting-started/before-you-build-ts.mdx
@@ -122,8 +122,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
-1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
+1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Required for the default onchain Workflow Registry. Not needed when using `deployment-registry: "private"`.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Optionally set `deployment-registry: "private"` in `workflow.yaml` to use the Chainlink-hosted private registry (no linked key or gas required for registry operations).
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/part-1-project-setup-go.mdx b/src/content/cre/getting-started/part-1-project-setup-go.mdx
index d70935a9e87..1a38f21bd69 100644
--- a/src/content/cre/getting-started/part-1-project-setup-go.mdx
+++ b/src/content/cre/getting-started/part-1-project-setup-go.mdx
@@ -86,6 +86,7 @@ The CRE CLI provides an `init` command to scaffold a new project. It's an intera
- **Language**: Select `Golang` and press Enter.
- **Pick a workflow template**: Use the arrow keys to select `Helloworld: A Golang Hello World example` and press Enter. We are starting from scratch to learn all the configuration steps.
- **Workflow name**:
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+{/* prettier-ignore */}
+
+ The private registry is a private, centralized control plane for workflow management. **It does not make workflow execution confidential.** See [Private workflow](/cre/key-terms#private-workflow) in Key Terms for the distinction.
+
+
+## Prerequisites
+
+Before deploying to the private registry, ensure you have:
+
+- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
+- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+Unlike the public onchain registry, you do **not** need:
+
+- A linked wallet key (`cre account link-key`)
+- `CRE_ETH_PRIVATE_KEY` in your `.env` file
+- An Ethereum Mainnet RPC URL in `project.yaml`
+- ETH for gas
+
+## Step 1: Confirm the private registry is available
+
+Run `cre registry list` to see the registries available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
+
+## Step 2: Add `deployment-registry` to your `workflow.yaml`
+
+Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+
+**TypeScript:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+**Go:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "."
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
+
+{/* prettier-ignore */}
+
+ `deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
+
+
+## Step 3: Deploy the workflow
+
+From your project root, run the deploy command with your target:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with the private registry using your CRE login session. There is no transaction prompt.
+
+**Example output:**
+
+```
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.staging.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
+The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
+
+## Step 4: Verify the deployment
+
+Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
+
+```bash
+cre workflow list
+```
+
+Workflows deployed to the private registry are tagged with the registry ID `private` in the list output. You can also filter to only show private registry workflows:
+
+```bash
+cre workflow list --registry private
+```
+
+You can also view the workflow in the [CRE platform](https://app.chain.link/cre/discover) under **Workflows**.
+
+## Managing a private registry workflow
+
+All standard lifecycle commands work the same way for private registry workflows. The CLI routes the operation through the Chainlink-hosted registry automatically based on the `deployment-registry` value in your `workflow.yaml`.
+
+### Activate
+
+```bash
+cre workflow activate my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to activate... Name=my-workflow
+
+Processing activation for workflow ID ...
+✓ Workflow activated successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Owner:
+```
+
+### Pause
+
+```bash
+cre workflow pause my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to pause... Name=my-workflow
+
+Processing pause for workflow ID ...
+✓ Workflow paused successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Paused
+ Owner:
+```
+
+### Update
+
+Redeploy with the same workflow name to update a private registry workflow. The CLI replaces the existing registration:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI prompts you to confirm before overwriting the existing workflow. Pass `--yes` to skip the prompt.
+
+### Delete
+
+```bash
+cre workflow delete my-workflow --target staging-settings
+```
+
+The CLI fetches the workflow, displays its details, and prompts you to type the workflow name to confirm. This action is permanent.
+
+{/* prettier-ignore */}
+
+ Deleting a workflow from the private registry permanently removes it and cannot be undone. The workflow will no longer respond to triggers.
+
+
+## Secrets with the private registry
+
+Secrets for private registry workflows are authorized through a browser-based OAuth (PKCE) flow rather than your linked wallet key. Use the `--secrets-auth=browser` flag on any `cre secrets` command:
+
+```bash
+# Create secrets for a private registry workflow
+cre secrets create secrets.yaml --target staging-settings --secrets-auth=browser
+
+# Update secrets
+cre secrets update secrets.yaml --target staging-settings --secrets-auth=browser
+
+# List secrets
+cre secrets list --target staging-settings --secrets-auth=browser
+```
+
+When you pass `--secrets-auth=browser`, the CLI opens a browser window to authorize the operation against the Vault DON using your CRE login session. No wallet, no `workflow-owner-address`, and no gas are required.
+
+See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the full secrets guide.
+
+## CI/CD with the private registry
+
+Because the private registry does not require `CRE_ETH_PRIVATE_KEY` or an Ethereum Mainnet RPC, CI/CD pipelines are simpler. You only need `CRE_API_KEY`:
+
+```yaml
+# .github/workflows/deploy-private.yml
+name: Deploy to Private Registry
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --target staging-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+```
+
+{/* prettier-ignore */}
+
+ Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
+- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
diff --git a/src/content/cre/guides/operations/deploying-workflows.mdx b/src/content/cre/guides/operations/deploying-workflows.mdx
index 4f8839a4749..f865df260ad 100644
--- a/src/content/cre/guides/operations/deploying-workflows.mdx
+++ b/src/content/cre/guides/operations/deploying-workflows.mdx
@@ -18,38 +18,6 @@ import { Aside } from "@components"
-{/* prettier-ignore */}
-
- Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
- `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
- field when you want a different registry, such as the public onchain Workflow Registry.
-
-Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
-
-```text
-Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
-Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
-Run "cre registry list" to see your available registries.
-```
-
-Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
-
-```yaml
-user-workflow:
- workflow-name: "my-workflow-production"
- deployment-registry: "private"
-```
-
-See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-
-
-
When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
@@ -68,7 +36,7 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
@@ -87,12 +55,12 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
@@ -127,100 +95,9 @@ Use this flow when `deployment-registry: "private"`:
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## Migrate an existing workflow
-
-CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
-
-### Who is affected
-
-You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-After upgrading, the CLI reports the missing field and points to the target that needs the update:
-
-```text
-Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
-Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
-Run "cre registry list" to see your available registries.
-```
-
-Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
-
-### Step 1: List available registries
-
-Log in, then list the registries available to your organization:
-
-```bash
-cre login
-cre registry list
-```
-
-Use the `ID` value from the output in `workflow.yaml`.
-
-### Step 2: Choose public or private workflow management
-
-Choose the registry that matches how you want to manage the workflow:
-
-- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
-- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
-
-The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
-
-### Step 3: Update affected targets
-
-Add `deployment-registry` under `user-workflow` for each target that is missing it.
-
-**Keep an existing workflow on the public onchain registry:**
+For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "onchain:ethereum-mainnet"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-**Use the private registry for workflow management:**
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "private"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-Repeat this for `production-settings` and any other target that needs migration.
-
-### Step 4: Re-run the command
-
-After the YAML is updated, rerun the command that failed:
-
-```bash
-cre workflow deploy my-workflow --target staging-settings
-```
-
-If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -239,7 +116,7 @@ Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
@@ -468,6 +345,7 @@ For complete setup instructions, configuration requirements, and step-by-step gu
## Next steps
+- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
diff --git a/src/content/cre/guides/operations/updating-deployed-workflows.mdx b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
index 05c586e27f5..23a5354dd4f 100644
--- a/src/content/cre/guides/operations/updating-deployed-workflows.mdx
+++ b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
@@ -25,7 +25,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 78806a25f94..69a583928aa 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -280,6 +280,23 @@ This page documents the service quotas for Chainlink Runtime Environment (CRE) w
The quotas documented on this page are subject to change. Check back regularly for updates.
+## Per-organization quotas
+
+These quotas apply at the organization level.
+
+### Registry quotas
+
+| Registry | Quota | Value |
+| --------------------------------------------------------------------------- | ------------------------------------ | ----- |
+| Private registry (`deployment-registry: "private"`) | Maximum workflows per organization | 3 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum linked keys per organization | 1 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum workflows per linked key | 3 |
+
+
+
+ Registry quotas are being actively tuned ahead of general availability. Values may increase. Run `cre registry list` to confirm your organization's access.
+
+
## Per-owner quotas
These quotas apply to each workflow owner (user account) within an organization.
@@ -5810,37 +5827,6 @@ Last Updated: 2026-04-30
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-
-
- Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
- `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
- field when you want a different registry, such as the public onchain Workflow Registry.
-
- Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
-
- ```text
- Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
- Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
- Run "cre registry list" to see your available registries.
- ```
-
- Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
-
- ```yaml
- user-workflow:
- workflow-name: "my-workflow-production"
- deployment-registry: "private"
- ```
-
- See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-
-
When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
@@ -5859,7 +5845,7 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
@@ -5878,12 +5864,12 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
@@ -5918,100 +5904,9 @@ Use this flow when `deployment-registry: "private"`:
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## Migrate an existing workflow
-
-CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
-
-### Who is affected
-
-You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-After upgrading, the CLI reports the missing field and points to the target that needs the update:
-
-```text
-Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
-Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
-Run "cre registry list" to see your available registries.
-```
-
-Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
-
-### Step 1: List available registries
-
-Log in, then list the registries available to your organization:
-
-```bash
-cre login
-cre registry list
-```
-
-Use the `ID` value from the output in `workflow.yaml`.
-
-### Step 2: Choose public or private workflow management
-
-Choose the registry that matches how you want to manage the workflow:
-
-- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
-- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
-
-The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
-
-### Step 3: Update affected targets
-
-Add `deployment-registry` under `user-workflow` for each target that is missing it.
-
-**Keep an existing workflow on the public onchain registry:**
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "onchain:ethereum-mainnet"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-**Use the private registry for workflow management:**
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "private"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-Repeat this for `production-settings` and any other target that needs migration.
-
-### Step 4: Re-run the command
+For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-After the YAML is updated, rerun the command that failed:
-
-```bash
-cre workflow deploy my-workflow --target staging-settings
-```
-
-If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -6030,7 +5925,7 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
@@ -6259,12 +6154,297 @@ For complete setup instructions, configuration requirements, and step-by-step gu
## Next steps
+- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
---
+# Deploying to the Private Registry
+Source: https://docs.chain.link/cre/guides/operations/deploying-to-private-registry
+Last Updated: 2026-05-06
+
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+
+
+ The private registry is a private, centralized control plane for workflow management. **It does not make workflow execution confidential.** See [Private workflow](/cre/key-terms#private-workflow) in Key Terms for the distinction.
+
+
+## Prerequisites
+
+Before deploying to the private registry, ensure you have:
+
+- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
+- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+Unlike the public onchain registry, you do **not** need:
+
+- A linked wallet key (`cre account link-key`)
+- `CRE_ETH_PRIVATE_KEY` in your `.env` file
+- An Ethereum Mainnet RPC URL in `project.yaml`
+- ETH for gas
+
+## Step 1: Confirm the private registry is available
+
+Run `cre registry list` to see the registries available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
+
+## Step 2: Add `deployment-registry` to your `workflow.yaml`
+
+Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+
+**TypeScript:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+**Go:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "."
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
+
+
+
+ `deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
+
+
+## Step 3: Deploy the workflow
+
+From your project root, run the deploy command with your target:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with the private registry using your CRE login session. There is no transaction prompt.
+
+**Example output:**
+
+```
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.staging.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
+The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
+
+## Step 4: Verify the deployment
+
+Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
+
+```bash
+cre workflow list
+```
+
+Workflows deployed to the private registry are tagged with the registry ID `private` in the list output. You can also filter to only show private registry workflows:
+
+```bash
+cre workflow list --registry private
+```
+
+You can also view the workflow in the [CRE platform](https://app.chain.link/cre/discover) under **Workflows**.
+
+## Managing a private registry workflow
+
+All standard lifecycle commands work the same way for private registry workflows. The CLI routes the operation through the Chainlink-hosted registry automatically based on the `deployment-registry` value in your `workflow.yaml`.
+
+### Activate
+
+```bash
+cre workflow activate my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to activate... Name=my-workflow
+
+Processing activation for workflow ID ...
+✓ Workflow activated successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Owner:
+```
+
+### Pause
+
+```bash
+cre workflow pause my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to pause... Name=my-workflow
+
+Processing pause for workflow ID ...
+✓ Workflow paused successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Paused
+ Owner:
+```
+
+### Update
+
+Redeploy with the same workflow name to update a private registry workflow. The CLI replaces the existing registration:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI prompts you to confirm before overwriting the existing workflow. Pass `--yes` to skip the prompt.
+
+### Delete
+
+```bash
+cre workflow delete my-workflow --target staging-settings
+```
+
+The CLI fetches the workflow, displays its details, and prompts you to type the workflow name to confirm. This action is permanent.
+
+
+
+ Deleting a workflow from the private registry permanently removes it and cannot be undone. The workflow will no longer respond to triggers.
+
+
+## Secrets with the private registry
+
+Secrets for private registry workflows are authorized through a browser-based OAuth (PKCE) flow rather than your linked wallet key. Use the `--secrets-auth=browser` flag on any `cre secrets` command:
+
+```bash
+# Create secrets for a private registry workflow
+cre secrets create secrets.yaml --target staging-settings --secrets-auth=browser
+
+# Update secrets
+cre secrets update secrets.yaml --target staging-settings --secrets-auth=browser
+
+# List secrets
+cre secrets list --target staging-settings --secrets-auth=browser
+```
+
+When you pass `--secrets-auth=browser`, the CLI opens a browser window to authorize the operation against the Vault DON using your CRE login session. No wallet, no `workflow-owner-address`, and no gas are required.
+
+See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the full secrets guide.
+
+## CI/CD with the private registry
+
+Because the private registry does not require `CRE_ETH_PRIVATE_KEY` or an Ethereum Mainnet RPC, CI/CD pipelines are simpler. You only need `CRE_API_KEY`:
+
+```yaml
+# .github/workflows/deploy-private.yml
+name: Deploy to Private Registry
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --target staging-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+```
+
+
+
+ Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
+- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
+
+---
+
# Activating & Pausing Workflows
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
@@ -6284,7 +6464,7 @@ Before activating or pausing workflows, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -6455,7 +6635,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -6519,7 +6699,7 @@ Before deleting a workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -9645,15 +9825,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
-The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
@@ -10560,8 +10740,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
-2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
+1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Required for the default onchain Workflow Registry. Not needed when using `deployment-registry: "private"`.
+2. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Optionally set `deployment-registry: "private"` in `workflow.yaml` to use the Chainlink-hosted private registry (no linked key or gas required for registry operations).
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10762,6 +10942,7 @@ The CRE CLI provides an `init` command to scaffold a new project. It's an intera
- **Language**: Select `Golang` and press Enter.
- **Pick a workflow template**: Use the arrow keys to select `Helloworld: A Golang Hello World example` and press Enter. We are starting from scratch to learn all the configuration steps.
- **Workflow name**: my-calculator-workflow
+ - **Deployment registry**: Select your preferred registry. Private (off-chain) registries appear first — choose `private` for quick testing without a wallet or gas, or `onchain:ethereum-mainnet` for the public Workflow Registry. If no registries appear, this step is skipped.
The CLI will then create a new `onchain-calculator` directory and initialize your first workflow within it.
@@ -16261,14 +16442,15 @@ cre init [flags]
**Flags:**
-| Flag | Description |
-| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
-| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
-| `-t, --template` | Template name to use (for example `hello-world-go`). Run `cre templates list` to see IDs and required networks. |
-| `-w, --workflow-name` | Name for the new workflow. |
-| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
-| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
+| Flag | Description |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
+| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
+| `-t, --template` | Template name to use (for example `hello-world-go`). Run `cre templates list` to see IDs and required networks. |
+| `-w, --workflow-name` | Name for the new workflow. |
+| `--deployment-registry` | Registry ID to write into the generated `workflow.yaml` (e.g. `private` or `onchain:ethereum-mainnet`). Run `cre registry list` to see available IDs. In `--non-interactive` mode, omitting this flag prints a warning and defaults to on-chain. |
+| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
+| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
Inherited [global flags](/cre/reference/cli#global-flags) include **`-R, --project-root`**, which `cre init` uses as the directory where the project is created when you pass it explicitly.
@@ -16280,6 +16462,7 @@ Running `cre init` without flags starts an interactive setup that guides you thr
2. **Language** (Go or TypeScript)
3. **Workflow template** (fetched dynamically from configured template sources)
4. **Workflow name**
+5. **Deployment registry** — select which registry the generated `workflow.yaml` targets. Private (off-chain) registries appear first with the cursor defaulted to them. If your organization has no registries configured, this step is skipped and the field is omitted from `workflow.yaml`.
@@ -16303,12 +16486,13 @@ cre init \
--project-name my-cre-project \
--workflow-name my-workflow \
--template hello-world-go \
+ --deployment-registry private \
--rpc-url sepolia=https://sepolia.infura.io/v3/YOUR_KEY
```
- For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error—pass the needed **`--rpc-url`** flags up front.
+ For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error — pass the needed flags up front. If `--deployment-registry` is omitted in `--non-interactive` mode, the CLI prints a warning and defaults to the onchain registry.
For a detailed walkthrough, see [Part 1 of the Getting Started guide](/cre/getting-started/part-1-project-setup).
@@ -16722,20 +16906,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
-
- Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
- `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
- required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
- continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
- for the migration path.
-
-
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Private, centralized, offchain registry management.
+ # deployment-registry: "private" # Optional (new in v1.14.0). Omit to use the default onchain registry.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -16745,7 +16921,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
+ # deployment-registry: "onchain:ethereum-mainnet" # Explicit onchain registry (also the default when omitted).
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -16754,19 +16930,20 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | New in v1.14.0. Selects which registry receives this target's deployment. When omitted, the CLI defaults to the public onchain Workflow Registry (same behavior as before v1.14.0). Set to `"private"` for Chainlink-hosted private registry management via your CRE login session (no linked key or gas required for registry operations). Set to `"onchain:ethereum-mainnet"` to explicitly target the public onchain Workflow Registry. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available to your organization. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
- `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
- project-level settings (like `workflow-owner-address`) for specific workflows.
+ `workflow-name` and `workflow-artifacts` for each target. `deployment-registry` is optional — omit it to use the
+ default onchain registry, or set it to `"private"` to use the Chainlink-hosted private registry. You can optionally
+ override project-level settings (like `workflow-owner-address`) for specific workflows.
### 3.3. Secrets configuration (`secrets.yaml`)
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index a0164e947e5..e6231af92c4 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -280,6 +280,23 @@ This page documents the service quotas for Chainlink Runtime Environment (CRE) w
The quotas documented on this page are subject to change. Check back regularly for updates.
+## Per-organization quotas
+
+These quotas apply at the organization level.
+
+### Registry quotas
+
+| Registry | Quota | Value |
+| --------------------------------------------------------------------------- | ------------------------------------ | ----- |
+| Private registry (`deployment-registry: "private"`) | Maximum workflows per organization | 3 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum linked keys per organization | 1 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum workflows per linked key | 3 |
+
+
+
+ Registry quotas are being actively tuned ahead of general availability. Values may increase. Run `cre registry list` to confirm your organization's access.
+
+
## Per-owner quotas
These quotas apply to each workflow owner (user account) within an organization.
@@ -4909,37 +4926,6 @@ Last Updated: 2026-04-30
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-
-
- Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
- `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
- field when you want a different registry, such as the public onchain Workflow Registry.
-
- Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
-
- ```text
- Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
- Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
- Run "cre registry list" to see your available registries.
- ```
-
- Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
-
- ```yaml
- user-workflow:
- workflow-name: "my-workflow-production"
- deployment-registry: "private"
- ```
-
- See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-
-
When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
@@ -4958,7 +4944,7 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
@@ -4977,12 +4963,12 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
@@ -5017,100 +5003,9 @@ Use this flow when `deployment-registry: "private"`:
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## Migrate an existing workflow
-
-CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
-
-### Who is affected
-
-You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
+For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-After upgrading, the CLI reports the missing field and points to the target that needs the update:
-
-```text
-Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
-Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
-Run "cre registry list" to see your available registries.
-```
-
-Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
-
-### Step 1: List available registries
-
-Log in, then list the registries available to your organization:
-
-```bash
-cre login
-cre registry list
-```
-
-Use the `ID` value from the output in `workflow.yaml`.
-
-### Step 2: Choose public or private workflow management
-
-Choose the registry that matches how you want to manage the workflow:
-
-- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
-- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
-
-The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
-
-### Step 3: Update affected targets
-
-Add `deployment-registry` under `user-workflow` for each target that is missing it.
-
-**Keep an existing workflow on the public onchain registry:**
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "onchain:ethereum-mainnet"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-**Use the private registry for workflow management:**
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "private"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-Repeat this for `production-settings` and any other target that needs migration.
-
-### Step 4: Re-run the command
-
-After the YAML is updated, rerun the command that failed:
-
-```bash
-cre workflow deploy my-workflow --target staging-settings
-```
-
-If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -5129,7 +5024,7 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
@@ -5358,12 +5253,297 @@ For complete setup instructions, configuration requirements, and step-by-step gu
## Next steps
+- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
---
+# Deploying to the Private Registry
+Source: https://docs.chain.link/cre/guides/operations/deploying-to-private-registry
+Last Updated: 2026-05-06
+
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+
+
+ The private registry is a private, centralized control plane for workflow management. **It does not make workflow execution confidential.** See [Private workflow](/cre/key-terms#private-workflow) in Key Terms for the distinction.
+
+
+## Prerequisites
+
+Before deploying to the private registry, ensure you have:
+
+- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
+- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+Unlike the public onchain registry, you do **not** need:
+
+- A linked wallet key (`cre account link-key`)
+- `CRE_ETH_PRIVATE_KEY` in your `.env` file
+- An Ethereum Mainnet RPC URL in `project.yaml`
+- ETH for gas
+
+## Step 1: Confirm the private registry is available
+
+Run `cre registry list` to see the registries available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
+
+## Step 2: Add `deployment-registry` to your `workflow.yaml`
+
+Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+
+**TypeScript:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+**Go:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "."
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
+
+
+
+ `deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
+
+
+## Step 3: Deploy the workflow
+
+From your project root, run the deploy command with your target:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with the private registry using your CRE login session. There is no transaction prompt.
+
+**Example output:**
+
+```
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.staging.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
+The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
+
+## Step 4: Verify the deployment
+
+Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
+
+```bash
+cre workflow list
+```
+
+Workflows deployed to the private registry are tagged with the registry ID `private` in the list output. You can also filter to only show private registry workflows:
+
+```bash
+cre workflow list --registry private
+```
+
+You can also view the workflow in the [CRE platform](https://app.chain.link/cre/discover) under **Workflows**.
+
+## Managing a private registry workflow
+
+All standard lifecycle commands work the same way for private registry workflows. The CLI routes the operation through the Chainlink-hosted registry automatically based on the `deployment-registry` value in your `workflow.yaml`.
+
+### Activate
+
+```bash
+cre workflow activate my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to activate... Name=my-workflow
+
+Processing activation for workflow ID ...
+✓ Workflow activated successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Owner:
+```
+
+### Pause
+
+```bash
+cre workflow pause my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to pause... Name=my-workflow
+
+Processing pause for workflow ID ...
+✓ Workflow paused successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Paused
+ Owner:
+```
+
+### Update
+
+Redeploy with the same workflow name to update a private registry workflow. The CLI replaces the existing registration:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI prompts you to confirm before overwriting the existing workflow. Pass `--yes` to skip the prompt.
+
+### Delete
+
+```bash
+cre workflow delete my-workflow --target staging-settings
+```
+
+The CLI fetches the workflow, displays its details, and prompts you to type the workflow name to confirm. This action is permanent.
+
+
+
+ Deleting a workflow from the private registry permanently removes it and cannot be undone. The workflow will no longer respond to triggers.
+
+
+## Secrets with the private registry
+
+Secrets for private registry workflows are authorized through a browser-based OAuth (PKCE) flow rather than your linked wallet key. Use the `--secrets-auth=browser` flag on any `cre secrets` command:
+
+```bash
+# Create secrets for a private registry workflow
+cre secrets create secrets.yaml --target staging-settings --secrets-auth=browser
+
+# Update secrets
+cre secrets update secrets.yaml --target staging-settings --secrets-auth=browser
+
+# List secrets
+cre secrets list --target staging-settings --secrets-auth=browser
+```
+
+When you pass `--secrets-auth=browser`, the CLI opens a browser window to authorize the operation against the Vault DON using your CRE login session. No wallet, no `workflow-owner-address`, and no gas are required.
+
+See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the full secrets guide.
+
+## CI/CD with the private registry
+
+Because the private registry does not require `CRE_ETH_PRIVATE_KEY` or an Ethereum Mainnet RPC, CI/CD pipelines are simpler. You only need `CRE_API_KEY`:
+
+```yaml
+# .github/workflows/deploy-private.yml
+name: Deploy to Private Registry
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --target staging-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+```
+
+
+
+ Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
+- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
+
+---
+
# Activating & Pausing Workflows
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
@@ -5383,7 +5563,7 @@ Before activating or pausing workflows, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -5554,7 +5734,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -5618,7 +5798,7 @@ Before deleting a workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -9258,15 +9438,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
-The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
@@ -10453,8 +10633,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
-2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
+1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Required for the default onchain Workflow Registry. Not needed when using `deployment-registry: "private"`.
+2. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Optionally set `deployment-registry: "private"` in `workflow.yaml` to use the Chainlink-hosted private registry (no linked key or gas required for registry operations).
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10655,6 +10835,7 @@ The CRE CLI provides an `init` command to scaffold a new project. It's an intera
- **Language**: Select `Typescript` and press Enter.
- **Pick a workflow template**: Use the arrow keys to select `Helloworld: Typescript Hello World example` and press Enter. We are starting from scratch to learn all the configuration steps.
- **Workflow name**: my-calculator-workflow
+ - **Deployment registry**: Select your preferred registry. Private (off-chain) registries appear first — choose `private` for quick testing without a wallet or gas, or `onchain:ethereum-mainnet` for the public Workflow Registry. If no registries appear, this step is skipped.
The CLI will then create a new `onchain-calculator` directory and initialize your first workflow within it.
@@ -16188,14 +16369,15 @@ cre init [flags]
**Flags:**
-| Flag | Description |
-| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
-| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
-| `-t, --template` | Template name to use (for example `hello-world-ts`). Run `cre templates list` to see IDs and required networks. |
-| `-w, --workflow-name` | Name for the new workflow. |
-| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
-| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
+| Flag | Description |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
+| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
+| `-t, --template` | Template name to use (for example `hello-world-ts`). Run `cre templates list` to see IDs and required networks. |
+| `-w, --workflow-name` | Name for the new workflow. |
+| `--deployment-registry` | Registry ID to write into the generated `workflow.yaml` (e.g. `private` or `onchain:ethereum-mainnet`). Run `cre registry list` to see available IDs. In `--non-interactive` mode, omitting this flag prints a warning and defaults to on-chain. |
+| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
+| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
Inherited [global flags](/cre/reference/cli#global-flags) include **`-R, --project-root`**, which `cre init` uses as the directory where the project is created when you pass it explicitly.
@@ -16207,6 +16389,7 @@ Running `cre init` without flags starts an interactive setup that guides you thr
2. **Language** (Go or TypeScript)
3. **Workflow template** (fetched dynamically from configured template sources)
4. **Workflow name**
+5. **Deployment registry** — select which registry the generated `workflow.yaml` targets. Private (off-chain) registries appear first with the cursor defaulted to them. If your organization has no registries configured, this step is skipped and the field is omitted from `workflow.yaml`.
@@ -16230,12 +16413,13 @@ cre init \
--project-name my-cre-project \
--workflow-name my-workflow \
--template hello-world-ts \
+ --deployment-registry private \
--rpc-url sepolia=https://sepolia.infura.io/v3/YOUR_KEY
```
- For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error—pass the needed **`--rpc-url`** flags up front.
+ For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error — pass the needed flags up front. If `--deployment-registry` is omitted in `--non-interactive` mode, the CLI prints a warning and defaults to the onchain registry.
For a detailed walkthrough, see [Part 1 of the Getting Started guide](/cre/getting-started/part-1-project-setup).
@@ -16580,20 +16764,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
-
- Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
- `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
- required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
- continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
- for the migration path.
-
-
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Private, centralized, offchain registry management.
+ # deployment-registry: "private" # Optional (new in v1.14.0). Omit to use the default onchain registry.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -16603,7 +16779,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
+ # deployment-registry: "onchain:ethereum-mainnet" # Explicit onchain registry (also the default when omitted).
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -16612,19 +16788,20 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | New in v1.14.0. Selects which registry receives this target's deployment. When omitted, the CLI defaults to the public onchain Workflow Registry (same behavior as before v1.14.0). Set to `"private"` for Chainlink-hosted private registry management via your CRE login session (no linked key or gas required for registry operations). Set to `"onchain:ethereum-mainnet"` to explicitly target the public onchain Workflow Registry. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available to your organization. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
- `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
- project-level settings (like `workflow-owner-address`) for specific workflows.
+ `workflow-name` and `workflow-artifacts` for each target. `deployment-registry` is optional — omit it to use the
+ default onchain registry, or set it to `"private"` to use the Chainlink-hosted private registry. You can optionally
+ override project-level settings (like `workflow-owner-address`) for specific workflows.
diff --git a/src/content/cre/reference/cli/project-setup-go.mdx b/src/content/cre/reference/cli/project-setup-go.mdx
index 3f030dfcbd2..834a95dcff8 100644
--- a/src/content/cre/reference/cli/project-setup-go.mdx
+++ b/src/content/cre/reference/cli/project-setup-go.mdx
@@ -40,14 +40,15 @@ cre init [flags]
**Flags:**
-| Flag | Description |
-| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
-| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
-| `-t, --template` | Template name to use (for example `hello-world-go`). Run `cre templates list` to see IDs and required networks. |
-| `-w, --workflow-name` | Name for the new workflow. |
-| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
-| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
+| Flag | Description |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
+| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
+| `-t, --template` | Template name to use (for example `hello-world-go`). Run `cre templates list` to see IDs and required networks. |
+| `-w, --workflow-name` | Name for the new workflow. |
+| `--deployment-registry` | Registry ID to write into the generated `workflow.yaml` (e.g. `private` or `onchain:ethereum-mainnet`). Run `cre registry list` to see available IDs. In `--non-interactive` mode, omitting this flag prints a warning and defaults to on-chain. |
+| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
+| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
Inherited [global flags](/cre/reference/cli#global-flags) include **`-R, --project-root`**, which `cre init` uses as the directory where the project is created when you pass it explicitly.
@@ -59,6 +60,7 @@ Running `cre init` without flags starts an interactive setup that guides you thr
1. **Language** (Go or TypeScript)
1. **Workflow template** (fetched dynamically from configured template sources)
1. **Workflow name**
+1. **Deployment registry** — select which registry the generated `workflow.yaml` targets. Private (off-chain) registries appear first with the cursor defaulted to them. If your organization has no registries configured, this step is skipped and the field is omitted from `workflow.yaml`.
{/* prettier-ignore */}
@@ -82,12 +84,13 @@ cre init \
--project-name my-cre-project \
--workflow-name my-workflow \
--template hello-world-go \
+ --deployment-registry private \
--rpc-url sepolia=https://sepolia.infura.io/v3/YOUR_KEY
```
{/* prettier-ignore */}
- For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error—pass the needed **`--rpc-url`** flags up front.
+ For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error — pass the needed flags up front. If `--deployment-registry` is omitted in `--non-interactive` mode, the CLI prints a warning and defaults to the onchain registry.
For a detailed walkthrough, see [Part 1 of the Getting Started guide](/cre/getting-started/part-1-project-setup).
diff --git a/src/content/cre/reference/cli/project-setup-ts.mdx b/src/content/cre/reference/cli/project-setup-ts.mdx
index 88a5e9fb0fb..62be7759e91 100644
--- a/src/content/cre/reference/cli/project-setup-ts.mdx
+++ b/src/content/cre/reference/cli/project-setup-ts.mdx
@@ -40,14 +40,15 @@ cre init [flags]
**Flags:**
-| Flag | Description |
-| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
-| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
-| `-t, --template` | Template name to use (for example `hello-world-ts`). Run `cre templates list` to see IDs and required networks. |
-| `-w, --workflow-name` | Name for the new workflow. |
-| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
-| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
+| Flag | Description |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
+| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
+| `-t, --template` | Template name to use (for example `hello-world-ts`). Run `cre templates list` to see IDs and required networks. |
+| `-w, --workflow-name` | Name for the new workflow. |
+| `--deployment-registry` | Registry ID to write into the generated `workflow.yaml` (e.g. `private` or `onchain:ethereum-mainnet`). Run `cre registry list` to see available IDs. In `--non-interactive` mode, omitting this flag prints a warning and defaults to on-chain. |
+| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
+| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
Inherited [global flags](/cre/reference/cli#global-flags) include **`-R, --project-root`**, which `cre init` uses as the directory where the project is created when you pass it explicitly.
@@ -59,6 +60,7 @@ Running `cre init` without flags starts an interactive setup that guides you thr
1. **Language** (Go or TypeScript)
1. **Workflow template** (fetched dynamically from configured template sources)
1. **Workflow name**
+1. **Deployment registry** — select which registry the generated `workflow.yaml` targets. Private (off-chain) registries appear first with the cursor defaulted to them. If your organization has no registries configured, this step is skipped and the field is omitted from `workflow.yaml`.
{/* prettier-ignore */}
@@ -82,12 +84,13 @@ cre init \
--project-name my-cre-project \
--workflow-name my-workflow \
--template hello-world-ts \
+ --deployment-registry private \
--rpc-url sepolia=https://sepolia.infura.io/v3/YOUR_KEY
```
{/* prettier-ignore */}
- For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error—pass the needed **`--rpc-url`** flags up front.
+ For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error — pass the needed flags up front. If `--deployment-registry` is omitted in `--non-interactive` mode, the CLI prints a warning and defaults to the onchain registry.
For a detailed walkthrough, see [Part 1 of the Getting Started guide](/cre/getting-started/part-1-project-setup).
diff --git a/src/content/cre/reference/cli/registry.mdx b/src/content/cre/reference/cli/registry.mdx
index 5004f06f8e2..6ba3e83940b 100644
--- a/src/content/cre/reference/cli/registry.mdx
+++ b/src/content/cre/reference/cli/registry.mdx
@@ -50,15 +50,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
-The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
diff --git a/src/content/cre/reference/project-configuration-go.mdx b/src/content/cre/reference/project-configuration-go.mdx
index 3e9e6e480d3..58dee5e4139 100644
--- a/src/content/cre/reference/project-configuration-go.mdx
+++ b/src/content/cre/reference/project-configuration-go.mdx
@@ -131,20 +131,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
-
- Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
- `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
- required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
- continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
- for the migration path.
-
-
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Private, centralized, offchain registry management.
+ # deployment-registry: "private" # Optional (new in v1.14.0). Omit to use the default onchain registry.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -154,7 +146,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
+ # deployment-registry: "onchain:ethereum-mainnet" # Explicit onchain registry (also the default when omitted).
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -163,19 +155,20 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | New in v1.14.0. Selects which registry receives this target's deployment. When omitted, the CLI defaults to the public onchain Workflow Registry (same behavior as before v1.14.0). Set to `"private"` for Chainlink-hosted private registry management via your CRE login session (no linked key or gas required for registry operations). Set to `"onchain:ethereum-mainnet"` to explicitly target the public onchain Workflow Registry. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available to your organization. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
- `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
- project-level settings (like `workflow-owner-address`) for specific workflows.
+ `workflow-name` and `workflow-artifacts` for each target. `deployment-registry` is optional — omit it to use the
+ default onchain registry, or set it to `"private"` to use the Chainlink-hosted private registry. You can optionally
+ override project-level settings (like `workflow-owner-address`) for specific workflows.
### 3.3. Secrets configuration (`secrets.yaml`)
diff --git a/src/content/cre/reference/project-configuration-ts.mdx b/src/content/cre/reference/project-configuration-ts.mdx
index af1bfe798cb..f01c83488eb 100644
--- a/src/content/cre/reference/project-configuration-ts.mdx
+++ b/src/content/cre/reference/project-configuration-ts.mdx
@@ -136,20 +136,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
-
- Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
- `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
- required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
- continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
- for the migration path.
-
-
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Private, centralized, offchain registry management.
+ # deployment-registry: "private" # Optional (new in v1.14.0). Omit to use the default onchain registry.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -159,7 +151,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
+ # deployment-registry: "onchain:ethereum-mainnet" # Explicit onchain registry (also the default when omitted).
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -168,19 +160,20 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | New in v1.14.0. Selects which registry receives this target's deployment. When omitted, the CLI defaults to the public onchain Workflow Registry (same behavior as before v1.14.0). Set to `"private"` for Chainlink-hosted private registry management via your CRE login session (no linked key or gas required for registry operations). Set to `"onchain:ethereum-mainnet"` to explicitly target the public onchain Workflow Registry. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available to your organization. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
- `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
- project-level settings (like `workflow-owner-address`) for specific workflows.
+ `workflow-name` and `workflow-artifacts` for each target. `deployment-registry` is optional — omit it to use the
+ default onchain registry, or set it to `"private"` to use the Chainlink-hosted private registry. You can optionally
+ override project-level settings (like `workflow-owner-address`) for specific workflows.
diff --git a/src/content/cre/service-quotas.mdx b/src/content/cre/service-quotas.mdx
index 8dbd7926261..7e8d8806a07 100644
--- a/src/content/cre/service-quotas.mdx
+++ b/src/content/cre/service-quotas.mdx
@@ -16,6 +16,23 @@ This page documents the service quotas for Chainlink Runtime Environment (CRE) w
The quotas documented on this page are subject to change. Check back regularly for updates.
+## Per-organization quotas
+
+These quotas apply at the organization level.
+
+### Registry quotas
+
+| Registry | Quota | Value |
+| --------------------------------------------------------------------------- | ------------------------------------ | ----- |
+| Private registry (`deployment-registry: "private"`) | Maximum workflows per organization | 3 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum linked keys per organization | 1 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum workflows per linked key | 3 |
+
+{/* prettier-ignore */}
+
+ Registry quotas are being actively tuned ahead of general availability. Values may increase. Run `cre registry list` to confirm your organization's access.
+
+
## Per-owner quotas
These quotas apply to each workflow owner (user account) within an organization.
From 3a6911bb9befdb2822d56f97f950f74ce675396a Mon Sep 17 00:00:00 2001
From: devin distefano
Date: Wed, 6 May 2026 17:58:16 -0500
Subject: [PATCH 4/9] reformat guides
---
src/config/sidebar.ts | 14 +-
.../activating-pausing-workflows.mdx | 2 +-
.../guides/operations/deleting-workflows.mdx | 2 +-
.../deploying-to-onchain-registry.mdx | 265 ++++++++
.../deploying-to-private-registry.mdx | 44 +-
.../guides/operations/deploying-workflows.mdx | 329 +--------
.../updating-deployed-workflows.mdx | 2 +-
src/content/cre/key-terms.mdx | 2 +-
src/content/cre/llms-full-go.txt | 640 +++++++++---------
src/content/cre/llms-full-ts.txt | 640 +++++++++---------
src/content/cre/reference/cli/registry.mdx | 2 +-
11 files changed, 935 insertions(+), 1007 deletions(-)
create mode 100644 src/content/cre/guides/operations/deploying-to-onchain-registry.mdx
diff --git a/src/config/sidebar.ts b/src/config/sidebar.ts
index db5c3be77a6..57d961200e5 100644
--- a/src/config/sidebar.ts
+++ b/src/config/sidebar.ts
@@ -449,10 +449,16 @@ export const SIDEBAR: Partial> = {
{
title: "Deploying Workflows",
url: "cre/guides/operations/deploying-workflows",
- },
- {
- title: "Deploying to the Private Registry",
- url: "cre/guides/operations/deploying-to-private-registry",
+ children: [
+ {
+ title: "Deploying to the Private Registry",
+ url: "cre/guides/operations/deploying-to-private-registry",
+ },
+ {
+ title: "Deploying to the Onchain Registry",
+ url: "cre/guides/operations/deploying-to-onchain-registry",
+ },
+ ],
},
{
title: "Activating & Pausing Workflows",
diff --git a/src/content/cre/guides/operations/activating-pausing-workflows.mdx b/src/content/cre/guides/operations/activating-pausing-workflows.mdx
index 84ce45748de..1a34b472c13 100644
--- a/src/content/cre/guides/operations/activating-pausing-workflows.mdx
+++ b/src/content/cre/guides/operations/activating-pausing-workflows.mdx
@@ -25,7 +25,7 @@ Before activating or pausing workflows, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
diff --git a/src/content/cre/guides/operations/deleting-workflows.mdx b/src/content/cre/guides/operations/deleting-workflows.mdx
index 52de991095b..0832c40a011 100644
--- a/src/content/cre/guides/operations/deleting-workflows.mdx
+++ b/src/content/cre/guides/operations/deleting-workflows.mdx
@@ -20,7 +20,7 @@ Before deleting a workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
diff --git a/src/content/cre/guides/operations/deploying-to-onchain-registry.mdx b/src/content/cre/guides/operations/deploying-to-onchain-registry.mdx
new file mode 100644
index 00000000000..4a5f89075e4
--- /dev/null
+++ b/src/content/cre/guides/operations/deploying-to-onchain-registry.mdx
@@ -0,0 +1,265 @@
+---
+section: cre
+date: Last Modified
+title: "Deploying to the Onchain Registry"
+metadata:
+ description: "Deploy CRE workflows to the public Workflow Registry contract on Ethereum Mainnet using a linked wallet key."
+ datePublished: "2026-05-06"
+ lastModified: "2026-05-06"
+---
+
+import { Aside } from "@components"
+
+{/* prettier-ignore */}
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **public onchain registry** is the Workflow Registry contract on Ethereum Mainnet. Deploying to it records your workflow onchain — your linked wallet address becomes the workflow owner and every lifecycle operation (deploy, activate, pause, update, delete) submits a transaction to that contract.
+
+For a lower-friction alternative that requires no wallet or gas for registry management, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
+
+## Prerequisites
+
+Before deploying to the onchain registry, ensure you have:
+
+- **Early Access approval**: Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
+- **[Linked your key](/cre/organization/linking-keys)**: Linked your EOA or multi-sig wallet to your CRE organization by running `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys) for instructions.
+- **A funded wallet**: The account you are deploying from must hold ETH on Ethereum Mainnet to pay gas for the registration transaction.
+- **`CRE_ETH_PRIVATE_KEY` in your `.env`**: Your wallet's private key, used by the CLI to sign registry transactions.
+- **An Ethereum Mainnet RPC URL in `project.yaml`**: Required for the CLI to submit transactions. Example: `https://ethereum-rpc.publicnode.com`.
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+## The deployment process
+
+The `cre workflow deploy` command handles the entire end-to-end process:
+
+1. **Compiles** your workflow to a WASM binary.
+1. **Uploads** the compiled binary and any associated configuration files to the CRE Storage Service.
+1. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on Ethereum Mainnet. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet`. The transaction contains the workflow's name, owner, and artifact URLs.
+
+{/* prettier-ignore */}
+
+Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
+
+
+### Step 1: Ensure your configuration is correct
+
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment.
+
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Selecting `onchain:ethereum-mainnet` writes `deployment-registry: "onchain:ethereum-mainnet"` into the generated `workflow.yaml` automatically. If you chose the onchain registry during init, your config is already set.
+
+If you initialized without selecting a registry, or are adding a new target, add `deployment-registry: "onchain:ethereum-mainnet"` explicitly. The field is optional — when omitted the CLI defaults to onchain — but setting it is recommended to make the intent clear.
+
+```yaml
+# workflow.yaml
+production-settings:
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts" # Go: "."
+ config-path: "./config.production.json"
+ secrets-path: ""
+```
+
+If you are deploying from a **multi-sig wallet**, specify your multi-sig address in the `workflow-owner-address` field. If deploying from a standard EOA, leave this field out — the owner is automatically derived from `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+
+For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+
+### Step 2: Run the deploy command
+
+**From your project root directory**, run the `deploy` command with the path to your workflow folder:
+
+```bash
+cre workflow deploy [flags]
+```
+
+Example command targeting the `production-settings` environment:
+
+```bash
+cre workflow deploy my-workflow --target production-settings
+```
+
+**Available flags:**
+
+| Flag | Description |
+| ---------------- | --------------------------------------------------------------------------------------- |
+| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
+| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
+| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
+| `--config` | Override the config file path from `workflow.yaml` |
+| `--no-config` | Deploy without a config file |
+| `--unsigned` | Return the raw transaction instead of broadcasting it (for multi-sig wallets) |
+| `--yes` | Skip confirmation prompts and proceed with the operation |
+| `--project-root` | Path to the project root directory |
+| `--env` | Path to your `.env` file (default: `".env"`) |
+| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
+
+### Step 3: Monitor the output
+
+The CLI provides detailed logs of the compilation, upload, and the onchain registration transaction:
+
+```bash
+> cre workflow deploy my-workflow --target production-settings
+
+Deploying Workflow : my-workflow
+Target : production-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Verifying ownership...
+Workflow owner link status: owner=, linked=true
+Key ownership verified
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Preparing deployment transaction...
+Preparing transaction for workflowID:
+Transaction details:
+ Chain Name: ethereum-mainnet
+ To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Function: UpsertWorkflow
+ Inputs:
+ [0]: my-workflow
+ [1]: my-workflow
+ [2]:
+ [3]: 0
+ [4]: zone-a
+ [5]: https://storage.cre.example.com/artifacts//binary.wasm
+ [6]: https://storage.cre.example.com/artifacts//config
+ [7]: 0x
+ [8]: false
+ Data: b377bfc50000000000000000000000000000000000...
+Estimated Cost:
+ Gas Price: 0.00100001 gwei
+ Total Cost: 0.00000079 ETH
+? Do you want to execute this transaction?:
+ ▸ Yes
+ No
+
+Transaction confirmed
+View on explorer: https://etherscan.io/tx/0x58599f6...d916b
+
+✓ Workflow deployed successfully
+
+Details:
+ Registry: onchain:ethereum-mainnet
+ Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Transaction hash: 0x58599f6...d916b
+ Workflow Name: my-workflow
+ Workflow ID:
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+```
+
+## Verifying your deployment
+
+After a successful deployment, verify your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization and its current status.
+
+1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see the workflow's status, ID, and execution history.
+
+1. **Block Explorer**: The CLI output includes the transaction hash. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+
+## CI/CD pipeline integration
+
+The `cre workflow build` and `cre workflow deploy` commands can run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
+
+The separation gives you two key benefits:
+
+- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
+- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
+
+### Example: GitHub Actions
+
+The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
+
+```yaml
+# .github/workflows/deploy.yml
+name: Deploy Workflow
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Build workflow
+ run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+
+ - name: Display content hashes
+ run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+
+ - name: Upload artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow/binary.wasm
+
+ deploy:
+ needs: build
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Download artifact
+ uses: actions/download-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+ INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
+```
+
+{/* prettier-ignore */}
+
+ Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+{/* prettier-ignore */}
+
+ Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
+
+
+## Using multi-sig wallets
+
+The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+
+For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows) — Track your workflow's execution and performance
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Deploy new versions of your workflow
+- [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets) — Multi-sig wallet setup and transaction signing
diff --git a/src/content/cre/guides/operations/deploying-to-private-registry.mdx b/src/content/cre/guides/operations/deploying-to-private-registry.mdx
index 27a288cac3a..0d4693d7853 100644
--- a/src/content/cre/guides/operations/deploying-to-private-registry.mdx
+++ b/src/content/cre/guides/operations/deploying-to-private-registry.mdx
@@ -15,7 +15,9 @@ import { Aside } from "@components"
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
-The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+The **private registry** is a Chainlink-hosted, offchain workflow registry. All lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+This is the default registry for new projects initialized with `cre init`. For a comparison of both registry options, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
{/* prettier-ignore */}
@@ -29,7 +31,7 @@ Before deploying to the private registry, ensure you have:
- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
-- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output. If no private registry appears, contact your Chainlink account team. Organizations are limited to **3 private registry workflows** by default — see [Service Quotas](/cre/service-quotas#registry-quotas).
- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
Unlike the public onchain registry, you do **not** need:
@@ -39,34 +41,11 @@ Unlike the public onchain registry, you do **not** need:
- An Ethereum Mainnet RPC URL in `project.yaml`
- ETH for gas
-## Step 1: Confirm the private registry is available
-
-Run `cre registry list` to see the registries available to your organization:
-
-```bash
-cre registry list
-```
-
-**Example output:**
-
-```
-Registries available to your organization
-
-ethereum-mainnet (0x4Ac5...E7e5)
- ID: onchain:ethereum-mainnet
- Type: on-chain
- Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+## Step 1: Set `deployment-registry` in your `workflow.yaml`
-Private (Chainlink-hosted)
- ID: private
- Type: off-chain
-```
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Private (off-chain) registries appear first with the cursor pre-selected on them. Selecting `private` writes `deployment-registry: "private"` into both targets of the generated `workflow.yaml` automatically — you can skip the manual step below.
-You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
-
-## Step 2: Add `deployment-registry` to your `workflow.yaml`
-
-Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+If you skipped the step, used `--non-interactive` without `--deployment-registry`, or are adding a new target to an existing project, add `deployment-registry: "private"` under the `user-workflow` section manually:
**TypeScript:**
@@ -96,14 +75,12 @@ staging-settings:
secrets-path: ""
```
-The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
-
{/* prettier-ignore */}
`deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
-## Step 3: Deploy the workflow
+## Step 2: Deploy the workflow
From your project root, run the deploy command with your target:
@@ -144,7 +121,7 @@ Details:
The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
-## Step 4: Verify the deployment
+## Step 3: Verify the deployment
Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
@@ -284,7 +261,8 @@ jobs:
## Next steps
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry) — Deploy with a linked wallet key and onchain record
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
diff --git a/src/content/cre/guides/operations/deploying-workflows.mdx b/src/content/cre/guides/operations/deploying-workflows.mdx
index f865df260ad..97ae6b073be 100644
--- a/src/content/cre/guides/operations/deploying-workflows.mdx
+++ b/src/content/cre/guides/operations/deploying-workflows.mdx
@@ -3,9 +3,9 @@ section: cre
date: Last Modified
title: "Deploying Workflows"
metadata:
- description: "Deploy your workflow: learn how to register your workflow and start running it across a Decentralized Oracle Network (DON)."
+ description: "Deploy your workflow: understand the two CRE registry models and choose the right deployment path for your project."
datePublished: "2025-11-04"
- lastModified: "2026-04-30"
+ lastModified: "2026-05-06"
---
import { Aside } from "@components"
@@ -18,31 +18,21 @@ import { Aside } from "@components"
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+When you deploy a workflow, you register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models, selected per deployment target via `deployment-registry` in `workflow.yaml`:
-- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+- **Private workflow**: Lifecycle operations (deploy, activate, pause, update, delete) are authorized by your CRE login session against the Chainlink-hosted private registry. No linked wallet, no gas, no Ethereum Mainnet RPC required for registry management. This is the default for new projects initialized with `cre init`.
+- **Public/onchain workflow**: Lifecycle operations submit transactions to the Workflow Registry contract on Ethereum Mainnet, authorized by your linked web3 wallet key.
-This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+This is a **control-plane** choice — it governs how workflow management is authorized, not how workflow execution behaves. See [Private workflow](/cre/key-terms#private-workflow) and [Confidential execution](/cre/key-terms#confidential-workflow-or-confidential-execution) for the distinction.
{/* prettier-ignore */}
- A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+ A private workflow uses a private, offchain registry for workflow management. It does not make workflow execution confidential. A workflow can use the private registry and still run on a public DON, and it can use confidential execution regardless of which registry it's deployed to.
-## Prerequisites
+## Comparing registries
-Before you can deploy a workflow, you must have:
-
-- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
-- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
-- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
-- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
-
-## Choosing your registry
-
-Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+Run `cre registry list` to see which registries are available to your organization:
```bash
cre registry list
@@ -63,289 +53,34 @@ Private (Chainlink-hosted)
Type: off-chain
```
-Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-
-### Private vs. public workflow management
-
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-
-| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
-| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
-| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
-| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-
-Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-
-Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
-
-### Managing with a web3 key
-
-Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
-
-1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
-2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
-3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
-4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-
-### Managing with auth only
-
-Use this flow when `deployment-registry: "private"`:
-
-1. Log in once with `cre login`.
-2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
-3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-
-For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## The deployment process
-
-The `cre workflow deploy` command handles the entire end-to-end process for you:
-
-1. **Compiles** your workflow to a WASM binary.
-1. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-1. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
-
-{/* prettier-ignore */}
-
-Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
-
-
-### Step 1: Ensure your configuration is correct
-
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
-
-If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
-
-For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
-
-### Step 2: Run the deploy command
-
-**From your project root directory**, run the `deploy` command with the path to your workflow folder.
-
-```bash
-cre workflow deploy [flags]
-```
-
-Example command to target the `production-settings` environment:
-
-```bash
-cre workflow deploy my-workflow --target production-settings
-```
-
-**Available flags:**
-
-| Flag | Description |
-| ---------------- | --------------------------------------------------------------------------------------- |
-| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
-| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
-| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
-| `--config` | Override the config file path from `workflow.yaml` |
-| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of broadcasting it to the network |
-| `--yes` | Skip confirmation prompts and proceed with the operation |
-| `--project-root` | Path to the project root directory |
-| `--env` | Path to your `.env` file (default: `".env"`) |
-| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
-
-### Step 3: Monitor the output
-
-The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
-
-**Example onchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target production-settings
-
-Deploying Workflow : my-workflow
-Target : production-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Verifying ownership...
-Workflow owner link status: owner=, linked=true
-Key ownership verified
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Preparing deployment transaction...
-Preparing transaction for workflowID:
-Transaction details:
- Chain Name: ethereum-mainnet
- To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Function: UpsertWorkflow
- Inputs:
- [0]: my-workflow
- [1]: my-workflow
- [2]:
- [3]: 0
- [4]: zone-a
- [5]: https://storage.cre.example.com/artifacts//binary.wasm
- [6]: https://storage.cre.example.com/artifacts//config
- [7]: 0x
- [8]: false
- Data: b377bfc50000000000000000000000000000000000...
-Estimated Cost:
- Gas Price: 0.00100001 gwei
- Total Cost: 0.00000079 ETH
-? Do you want to execute this transaction?:
- ▸ Yes
- No
-
-Transaction confirmed
-View on explorer: https://etherscan.io/tx/0x58599f6...d916b
-
-✓ Workflow deployed successfully
-
-Details:
- Registry: onchain:ethereum-mainnet
- Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Transaction hash: 0x58599f6...d916b
- Workflow Name: my-workflow
- Workflow ID:
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
-```
-
-**Example private/offchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target staging-settings
-
-Deploying Workflow : my-workflow
-Target : staging-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Registering workflow in private registry (workflowID: )...
-✓ Workflow registered in private registry
-
-Details:
- Registry: private
- Workflow Name: my-workflow
- Workflow ID:
- Status: Active
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
- Owner:
-```
-
-## Verifying your deployment
-
-After a successful deployment, you can verify that your workflow was registered correctly:
-
-1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-
-1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-
-1. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+Use the `ID` value as the `deployment-registry` in your `workflow.yaml`.
-## CI/CD pipeline integration
+| | Private workflow | Public / onchain workflow |
+| ------------------------------- | ------------------------------- | ---------------------------------- |
+| `deployment-registry` value | `"private"` | `"onchain:ethereum-mainnet"` |
+| Authorization | CRE login session | Linked web3 wallet key |
+| Ethereum Mainnet RPC required | No | Yes |
+| ETH for gas (registry ops) | No | Yes |
+| `cre account link-key` required | No | Yes |
+| Creates onchain record | No | Yes, in Workflow Registry contract |
+| Default for `cre init` projects | Yes | No |
+| Ideal for | Testing, team-managed workflows | Production, multisig ownership |
-The `cre workflow build` and `cre workflow deploy` commands can be run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
+Secrets follow the same split. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the per-registry secrets flows.
-The separation gives you two key benefits:
-
-- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
-- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
-
-### Example: GitHub Actions
-
-The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
-
-```yaml
-# .github/workflows/deploy.yml
-name: Deploy Workflow
-
-on:
- push:
- branches: [main]
-
-jobs:
- build:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Build workflow
- run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
-
- - name: Display content hashes
- run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
-
- - name: Upload artifact
- uses: actions/upload-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow/binary.wasm
-
- deploy:
- needs: build
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Download artifact
- uses: actions/download-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow
-
- - name: Deploy workflow
- run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
- INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
-```
-
-{/* prettier-ignore */}
-
- Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
-
-
-{/* prettier-ignore */}
-
- Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
-
+## Limits
-## Using multi-sig wallets
+Both registry types have per-organization defaults. See [Service Quotas](/cre/service-quotas#registry-quotas) for current values.
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+| | Default limit |
+| ------------------------------------------- | ------------- |
+| Private registry workflows per organization | 3 |
+| Linked keys per organization (onchain) | 1 |
+| Workflows per linked key (onchain) | 3 |
-For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+## Deployment guides
-## Next steps
+For step-by-step instructions, choose the guide for your target registry:
-- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
-- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
+- **[Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry)** — Uses your CRE login session. No wallet, no gas, no Ethereum Mainnet RPC required for registry operations.
+- **[Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry)** — Requires a linked wallet key and ETH on Ethereum Mainnet for registry transaction gas.
diff --git a/src/content/cre/guides/operations/updating-deployed-workflows.mdx b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
index 23a5354dd4f..92f2041ab10 100644
--- a/src/content/cre/guides/operations/updating-deployed-workflows.mdx
+++ b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
@@ -25,7 +25,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
diff --git a/src/content/cre/key-terms.mdx b/src/content/cre/key-terms.mdx
index 78a4bec8eff..722c51ddc98 100644
--- a/src/content/cre/key-terms.mdx
+++ b/src/content/cre/key-terms.mdx
@@ -29,7 +29,7 @@ How you manage a workflow's lifecycle (deploy, activate, pause, update, delete)
- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
-See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
### Public workflow
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 69a583928aa..aca90b0013a 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -170,7 +170,7 @@ How you manage a workflow's lifecycle (deploy, activate, pause, update, delete)
- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
-See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
### Public workflow
@@ -5819,7 +5819,7 @@ If your workflow requires higher limits than the defaults, you can request a lim
# Deploying Workflows
Source: https://docs.chain.link/cre/guides/operations/deploying-workflows
-Last Updated: 2026-04-30
+Last Updated: 2026-05-06
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
@@ -5827,31 +5827,21 @@ Last Updated: 2026-04-30
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+When you deploy a workflow, you register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models, selected per deployment target via `deployment-registry` in `workflow.yaml`:
-- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+- **Private workflow**: Lifecycle operations (deploy, activate, pause, update, delete) are authorized by your CRE login session against the Chainlink-hosted private registry. No linked wallet, no gas, no Ethereum Mainnet RPC required for registry management. This is the default for new projects initialized with `cre init`.
+- **Public/onchain workflow**: Lifecycle operations submit transactions to the Workflow Registry contract on Ethereum Mainnet, authorized by your linked web3 wallet key.
-This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+This is a **control-plane** choice — it governs how workflow management is authorized, not how workflow execution behaves. See [Private workflow](/cre/key-terms#private-workflow) and [Confidential execution](/cre/key-terms#confidential-workflow-or-confidential-execution) for the distinction.
- A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+ A private workflow uses a private, offchain registry for workflow management. It does not make workflow execution confidential. A workflow can use the private registry and still run on a public DON, and it can use confidential execution regardless of which registry it's deployed to.
-## Prerequisites
-
-Before you can deploy a workflow, you must have:
+## Comparing registries
-- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
-- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
-- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
-- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
-
-## Choosing your registry
-
-Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+Run `cre registry list` to see which registries are available to your organization:
```bash
cre registry list
@@ -5872,292 +5862,37 @@ Private (Chainlink-hosted)
Type: off-chain
```
-Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-
-### Private vs. public workflow management
-
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-
-| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
-| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
-| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
-| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-
-Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-
-Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
-
-### Managing with a web3 key
-
-Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
-
-1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
-2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
-3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
-4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-
-### Managing with auth only
-
-Use this flow when `deployment-registry: "private"`:
-
-1. Log in once with `cre login`.
-2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
-3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-
-For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## The deployment process
-
-The `cre workflow deploy` command handles the entire end-to-end process for you:
-
-1. **Compiles** your workflow to a WASM binary.
-2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
-
-
-
- Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
-
-
-### Step 1: Ensure your configuration is correct
-
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
+Use the `ID` value as the `deployment-registry` in your `workflow.yaml`.
-If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
+| | Private workflow | Public / onchain workflow |
+| ------------------------------- | ------------------------------- | ---------------------------------- |
+| `deployment-registry` value | `"private"` | `"onchain:ethereum-mainnet"` |
+| Authorization | CRE login session | Linked web3 wallet key |
+| Ethereum Mainnet RPC required | No | Yes |
+| ETH for gas (registry ops) | No | Yes |
+| `cre account link-key` required | No | Yes |
+| Creates onchain record | No | Yes, in Workflow Registry contract |
+| Default for `cre init` projects | Yes | No |
+| Ideal for | Testing, team-managed workflows | Production, multisig ownership |
-For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+Secrets follow the same split. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the per-registry secrets flows.
-### Step 2: Run the deploy command
+## Limits
-**From your project root directory**, run the `deploy` command with the path to your workflow folder.
+Both registry types have per-organization defaults. See [Service Quotas](/cre/service-quotas#registry-quotas) for current values.
-```bash
-cre workflow deploy [flags]
-```
+| | Default limit |
+| ------------------------------------------- | ------------- |
+| Private registry workflows per organization | 3 |
+| Linked keys per organization (onchain) | 1 |
+| Workflows per linked key (onchain) | 3 |
-Example command to target the `production-settings` environment:
+## Deployment guides
-```bash
-cre workflow deploy my-workflow --target production-settings
-```
+For step-by-step instructions, choose the guide for your target registry:
-**Available flags:**
-
-| Flag | Description |
-| ---------------- | --------------------------------------------------------------------------------------- |
-| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
-| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
-| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
-| `--config` | Override the config file path from `workflow.yaml` |
-| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of broadcasting it to the network |
-| `--yes` | Skip confirmation prompts and proceed with the operation |
-| `--project-root` | Path to the project root directory |
-| `--env` | Path to your `.env` file (default: `".env"`) |
-| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
-
-### Step 3: Monitor the output
-
-The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
-
-**Example onchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target production-settings
-
-Deploying Workflow : my-workflow
-Target : production-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Verifying ownership...
-Workflow owner link status: owner=, linked=true
-Key ownership verified
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Preparing deployment transaction...
-Preparing transaction for workflowID:
-Transaction details:
- Chain Name: ethereum-mainnet
- To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Function: UpsertWorkflow
- Inputs:
- [0]: my-workflow
- [1]: my-workflow
- [2]:
- [3]: 0
- [4]: zone-a
- [5]: https://storage.cre.example.com/artifacts//binary.wasm
- [6]: https://storage.cre.example.com/artifacts//config
- [7]: 0x
- [8]: false
- Data: b377bfc50000000000000000000000000000000000...
-Estimated Cost:
- Gas Price: 0.00100001 gwei
- Total Cost: 0.00000079 ETH
-? Do you want to execute this transaction?:
- ▸ Yes
- No
-
-Transaction confirmed
-View on explorer: https://etherscan.io/tx/0x58599f6...d916b
-
-✓ Workflow deployed successfully
-
-Details:
- Registry: onchain:ethereum-mainnet
- Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Transaction hash: 0x58599f6...d916b
- Workflow Name: my-workflow
- Workflow ID:
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
-```
-
-**Example private/offchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target staging-settings
-
-Deploying Workflow : my-workflow
-Target : staging-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Registering workflow in private registry (workflowID: )...
-✓ Workflow registered in private registry
-
-Details:
- Registry: private
- Workflow Name: my-workflow
- Workflow ID:
- Status: Active
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
- Owner:
-```
-
-## Verifying your deployment
-
-After a successful deployment, you can verify that your workflow was registered correctly:
-
-1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-
-2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-
-3. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
-
-## CI/CD pipeline integration
-
-The `cre workflow build` and `cre workflow deploy` commands can be run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
-
-The separation gives you two key benefits:
-
-- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
-- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
-
-### Example: GitHub Actions
-
-The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
-
-```yaml
-# .github/workflows/deploy.yml
-name: Deploy Workflow
-
-on:
- push:
- branches: [main]
-
-jobs:
- build:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Build workflow
- run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
-
- - name: Display content hashes
- run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
-
- - name: Upload artifact
- uses: actions/upload-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow/binary.wasm
-
- deploy:
- needs: build
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Download artifact
- uses: actions/download-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow
-
- - name: Deploy workflow
- run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
- INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
-```
-
-
-
- Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
-
-
-
-
- Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
-
-
-## Using multi-sig wallets
-
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
-
-For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-
-## Next steps
-
-- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
-- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
+- **[Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry)** — Uses your CRE login session. No wallet, no gas, no Ethereum Mainnet RPC required for registry operations.
+- **[Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry)** — Requires a linked wallet key and ETH on Ethereum Mainnet for registry transaction gas.
---
@@ -6169,7 +5904,9 @@ Last Updated: 2026-05-06
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
-The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+The **private registry** is a Chainlink-hosted, offchain workflow registry. All lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+This is the default registry for new projects initialized with `cre init`. For a comparison of both registry options, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
@@ -6183,7 +5920,7 @@ Before deploying to the private registry, ensure you have:
- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
-- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output. If no private registry appears, contact your Chainlink account team. Organizations are limited to **3 private registry workflows** by default — see [Service Quotas](/cre/service-quotas#registry-quotas).
- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
Unlike the public onchain registry, you do **not** need:
@@ -6193,34 +5930,11 @@ Unlike the public onchain registry, you do **not** need:
- An Ethereum Mainnet RPC URL in `project.yaml`
- ETH for gas
-## Step 1: Confirm the private registry is available
+## Step 1: Set `deployment-registry` in your `workflow.yaml`
-Run `cre registry list` to see the registries available to your organization:
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Private (off-chain) registries appear first with the cursor pre-selected on them. Selecting `private` writes `deployment-registry: "private"` into both targets of the generated `workflow.yaml` automatically — you can skip the manual step below.
-```bash
-cre registry list
-```
-
-**Example output:**
-
-```
-Registries available to your organization
-
-ethereum-mainnet (0x4Ac5...E7e5)
- ID: onchain:ethereum-mainnet
- Type: on-chain
- Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
-
-Private (Chainlink-hosted)
- ID: private
- Type: off-chain
-```
-
-You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
-
-## Step 2: Add `deployment-registry` to your `workflow.yaml`
-
-Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+If you skipped the step, used `--non-interactive` without `--deployment-registry`, or are adding a new target to an existing project, add `deployment-registry: "private"` under the `user-workflow` section manually:
**TypeScript:**
@@ -6250,14 +5964,12 @@ staging-settings:
secrets-path: ""
```
-The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
-
`deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
-## Step 3: Deploy the workflow
+## Step 2: Deploy the workflow
From your project root, run the deploy command with your target:
@@ -6298,7 +6010,7 @@ Details:
The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
-## Step 4: Verify the deployment
+## Step 3: Verify the deployment
Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
@@ -6438,13 +6150,273 @@ jobs:
## Next steps
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry) — Deploy with a linked wallet key and onchain record
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
---
+# Deploying to the Onchain Registry
+Source: https://docs.chain.link/cre/guides/operations/deploying-to-onchain-registry
+Last Updated: 2026-05-06
+
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **public onchain registry** is the Workflow Registry contract on Ethereum Mainnet. Deploying to it records your workflow onchain — your linked wallet address becomes the workflow owner and every lifecycle operation (deploy, activate, pause, update, delete) submits a transaction to that contract.
+
+For a lower-friction alternative that requires no wallet or gas for registry management, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
+
+## Prerequisites
+
+Before deploying to the onchain registry, ensure you have:
+
+- **Early Access approval**: Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
+- **[Linked your key](/cre/organization/linking-keys)**: Linked your EOA or multi-sig wallet to your CRE organization by running `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys) for instructions.
+- **A funded wallet**: The account you are deploying from must hold ETH on Ethereum Mainnet to pay gas for the registration transaction.
+- **`CRE_ETH_PRIVATE_KEY` in your `.env`**: Your wallet's private key, used by the CLI to sign registry transactions.
+- **An Ethereum Mainnet RPC URL in `project.yaml`**: Required for the CLI to submit transactions. Example: `https://ethereum-rpc.publicnode.com`.
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+## The deployment process
+
+The `cre workflow deploy` command handles the entire end-to-end process:
+
+1. **Compiles** your workflow to a WASM binary.
+2. **Uploads** the compiled binary and any associated configuration files to the CRE Storage Service.
+3. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on Ethereum Mainnet. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet`. The transaction contains the workflow's name, owner, and artifact URLs.
+
+
+
+ Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
+
+
+### Step 1: Ensure your configuration is correct
+
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment.
+
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Selecting `onchain:ethereum-mainnet` writes `deployment-registry: "onchain:ethereum-mainnet"` into the generated `workflow.yaml` automatically. If you chose the onchain registry during init, your config is already set.
+
+If you initialized without selecting a registry, or are adding a new target, add `deployment-registry: "onchain:ethereum-mainnet"` explicitly. The field is optional — when omitted the CLI defaults to onchain — but setting it is recommended to make the intent clear.
+
+```yaml
+# workflow.yaml
+production-settings:
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts" # Go: "."
+ config-path: "./config.production.json"
+ secrets-path: ""
+```
+
+If you are deploying from a **multi-sig wallet**, specify your multi-sig address in the `workflow-owner-address` field. If deploying from a standard EOA, leave this field out — the owner is automatically derived from `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+
+For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+
+### Step 2: Run the deploy command
+
+**From your project root directory**, run the `deploy` command with the path to your workflow folder:
+
+```bash
+cre workflow deploy [flags]
+```
+
+Example command targeting the `production-settings` environment:
+
+```bash
+cre workflow deploy my-workflow --target production-settings
+```
+
+**Available flags:**
+
+| Flag | Description |
+| ---------------- | --------------------------------------------------------------------------------------- |
+| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
+| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
+| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
+| `--config` | Override the config file path from `workflow.yaml` |
+| `--no-config` | Deploy without a config file |
+| `--unsigned` | Return the raw transaction instead of broadcasting it (for multi-sig wallets) |
+| `--yes` | Skip confirmation prompts and proceed with the operation |
+| `--project-root` | Path to the project root directory |
+| `--env` | Path to your `.env` file (default: `".env"`) |
+| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
+
+### Step 3: Monitor the output
+
+The CLI provides detailed logs of the compilation, upload, and the onchain registration transaction:
+
+```bash
+> cre workflow deploy my-workflow --target production-settings
+
+Deploying Workflow : my-workflow
+Target : production-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Verifying ownership...
+Workflow owner link status: owner=, linked=true
+Key ownership verified
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Preparing deployment transaction...
+Preparing transaction for workflowID:
+Transaction details:
+ Chain Name: ethereum-mainnet
+ To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Function: UpsertWorkflow
+ Inputs:
+ [0]: my-workflow
+ [1]: my-workflow
+ [2]:
+ [3]: 0
+ [4]: zone-a
+ [5]: https://storage.cre.example.com/artifacts//binary.wasm
+ [6]: https://storage.cre.example.com/artifacts//config
+ [7]: 0x
+ [8]: false
+ Data: b377bfc50000000000000000000000000000000000...
+Estimated Cost:
+ Gas Price: 0.00100001 gwei
+ Total Cost: 0.00000079 ETH
+? Do you want to execute this transaction?:
+ ▸ Yes
+ No
+
+Transaction confirmed
+View on explorer: https://etherscan.io/tx/0x58599f6...d916b
+
+✓ Workflow deployed successfully
+
+Details:
+ Registry: onchain:ethereum-mainnet
+ Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Transaction hash: 0x58599f6...d916b
+ Workflow Name: my-workflow
+ Workflow ID:
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+```
+
+## Verifying your deployment
+
+After a successful deployment, verify your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization and its current status.
+
+2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see the workflow's status, ID, and execution history.
+
+3. **Block Explorer**: The CLI output includes the transaction hash. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+
+## CI/CD pipeline integration
+
+The `cre workflow build` and `cre workflow deploy` commands can run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
+
+The separation gives you two key benefits:
+
+- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
+- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
+
+### Example: GitHub Actions
+
+The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
+
+```yaml
+# .github/workflows/deploy.yml
+name: Deploy Workflow
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Build workflow
+ run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+
+ - name: Display content hashes
+ run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+
+ - name: Upload artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow/binary.wasm
+
+ deploy:
+ needs: build
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Download artifact
+ uses: actions/download-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+ INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
+```
+
+
+
+ Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+
+
+ Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
+
+
+## Using multi-sig wallets
+
+The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+
+For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows) — Track your workflow's execution and performance
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Deploy new versions of your workflow
+- [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets) — Multi-sig wallet setup and transaction signing
+
+---
+
# Activating & Pausing Workflows
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
@@ -6464,7 +6436,7 @@ Before activating or pausing workflows, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -6635,7 +6607,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -6699,7 +6671,7 @@ Before deleting a workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -9833,7 +9805,7 @@ Private (Chainlink-hosted)
Type: off-chain
```
-The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#comparing-registries).
If no registries are found for your environment, the command prints a warning and exits cleanly.
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index e6231af92c4..938ffc84168 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -170,7 +170,7 @@ How you manage a workflow's lifecycle (deploy, activate, pause, update, delete)
- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
-See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
### Public workflow
@@ -4918,7 +4918,7 @@ If your workflow requires higher limits than the defaults, you can request a lim
# Deploying Workflows
Source: https://docs.chain.link/cre/guides/operations/deploying-workflows
-Last Updated: 2026-04-30
+Last Updated: 2026-05-06
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
@@ -4926,31 +4926,21 @@ Last Updated: 2026-04-30
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+When you deploy a workflow, you register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models, selected per deployment target via `deployment-registry` in `workflow.yaml`:
-- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+- **Private workflow**: Lifecycle operations (deploy, activate, pause, update, delete) are authorized by your CRE login session against the Chainlink-hosted private registry. No linked wallet, no gas, no Ethereum Mainnet RPC required for registry management. This is the default for new projects initialized with `cre init`.
+- **Public/onchain workflow**: Lifecycle operations submit transactions to the Workflow Registry contract on Ethereum Mainnet, authorized by your linked web3 wallet key.
-This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+This is a **control-plane** choice — it governs how workflow management is authorized, not how workflow execution behaves. See [Private workflow](/cre/key-terms#private-workflow) and [Confidential execution](/cre/key-terms#confidential-workflow-or-confidential-execution) for the distinction.
- A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+ A private workflow uses a private, offchain registry for workflow management. It does not make workflow execution confidential. A workflow can use the private registry and still run on a public DON, and it can use confidential execution regardless of which registry it's deployed to.
-## Prerequisites
-
-Before you can deploy a workflow, you must have:
+## Comparing registries
-- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
-- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
-- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
-- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
-
-## Choosing your registry
-
-Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+Run `cre registry list` to see which registries are available to your organization:
```bash
cre registry list
@@ -4971,292 +4961,37 @@ Private (Chainlink-hosted)
Type: off-chain
```
-Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-
-### Private vs. public workflow management
-
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-
-| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
-| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
-| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
-| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-
-Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-
-Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
-
-### Managing with a web3 key
-
-Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
-
-1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
-2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
-3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
-4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-
-### Managing with auth only
-
-Use this flow when `deployment-registry: "private"`:
-
-1. Log in once with `cre login`.
-2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
-3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-
-For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## The deployment process
-
-The `cre workflow deploy` command handles the entire end-to-end process for you:
-
-1. **Compiles** your workflow to a WASM binary.
-2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
-
-
-
- Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
-
-
-### Step 1: Ensure your configuration is correct
-
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
+Use the `ID` value as the `deployment-registry` in your `workflow.yaml`.
-If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
+| | Private workflow | Public / onchain workflow |
+| ------------------------------- | ------------------------------- | ---------------------------------- |
+| `deployment-registry` value | `"private"` | `"onchain:ethereum-mainnet"` |
+| Authorization | CRE login session | Linked web3 wallet key |
+| Ethereum Mainnet RPC required | No | Yes |
+| ETH for gas (registry ops) | No | Yes |
+| `cre account link-key` required | No | Yes |
+| Creates onchain record | No | Yes, in Workflow Registry contract |
+| Default for `cre init` projects | Yes | No |
+| Ideal for | Testing, team-managed workflows | Production, multisig ownership |
-For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+Secrets follow the same split. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the per-registry secrets flows.
-### Step 2: Run the deploy command
+## Limits
-**From your project root directory**, run the `deploy` command with the path to your workflow folder.
+Both registry types have per-organization defaults. See [Service Quotas](/cre/service-quotas#registry-quotas) for current values.
-```bash
-cre workflow deploy [flags]
-```
+| | Default limit |
+| ------------------------------------------- | ------------- |
+| Private registry workflows per organization | 3 |
+| Linked keys per organization (onchain) | 1 |
+| Workflows per linked key (onchain) | 3 |
-Example command to target the `production-settings` environment:
+## Deployment guides
-```bash
-cre workflow deploy my-workflow --target production-settings
-```
+For step-by-step instructions, choose the guide for your target registry:
-**Available flags:**
-
-| Flag | Description |
-| ---------------- | --------------------------------------------------------------------------------------- |
-| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
-| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
-| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
-| `--config` | Override the config file path from `workflow.yaml` |
-| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of broadcasting it to the network |
-| `--yes` | Skip confirmation prompts and proceed with the operation |
-| `--project-root` | Path to the project root directory |
-| `--env` | Path to your `.env` file (default: `".env"`) |
-| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
-
-### Step 3: Monitor the output
-
-The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
-
-**Example onchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target production-settings
-
-Deploying Workflow : my-workflow
-Target : production-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Verifying ownership...
-Workflow owner link status: owner=, linked=true
-Key ownership verified
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Preparing deployment transaction...
-Preparing transaction for workflowID:
-Transaction details:
- Chain Name: ethereum-mainnet
- To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Function: UpsertWorkflow
- Inputs:
- [0]: my-workflow
- [1]: my-workflow
- [2]:
- [3]: 0
- [4]: zone-a
- [5]: https://storage.cre.example.com/artifacts//binary.wasm
- [6]: https://storage.cre.example.com/artifacts//config
- [7]: 0x
- [8]: false
- Data: b377bfc50000000000000000000000000000000000...
-Estimated Cost:
- Gas Price: 0.00100001 gwei
- Total Cost: 0.00000079 ETH
-? Do you want to execute this transaction?:
- ▸ Yes
- No
-
-Transaction confirmed
-View on explorer: https://etherscan.io/tx/0x58599f6...d916b
-
-✓ Workflow deployed successfully
-
-Details:
- Registry: onchain:ethereum-mainnet
- Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Transaction hash: 0x58599f6...d916b
- Workflow Name: my-workflow
- Workflow ID:
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
-```
-
-**Example private/offchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target staging-settings
-
-Deploying Workflow : my-workflow
-Target : staging-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Registering workflow in private registry (workflowID: )...
-✓ Workflow registered in private registry
-
-Details:
- Registry: private
- Workflow Name: my-workflow
- Workflow ID:
- Status: Active
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
- Owner:
-```
-
-## Verifying your deployment
-
-After a successful deployment, you can verify that your workflow was registered correctly:
-
-1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-
-2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-
-3. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
-
-## CI/CD pipeline integration
-
-The `cre workflow build` and `cre workflow deploy` commands can be run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
-
-The separation gives you two key benefits:
-
-- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
-- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
-
-### Example: GitHub Actions
-
-The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
-
-```yaml
-# .github/workflows/deploy.yml
-name: Deploy Workflow
-
-on:
- push:
- branches: [main]
-
-jobs:
- build:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Build workflow
- run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
-
- - name: Display content hashes
- run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
-
- - name: Upload artifact
- uses: actions/upload-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow/binary.wasm
-
- deploy:
- needs: build
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Download artifact
- uses: actions/download-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow
-
- - name: Deploy workflow
- run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
- INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
-```
-
-
-
- Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
-
-
-
-
- Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
-
-
-## Using multi-sig wallets
-
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
-
-For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-
-## Next steps
-
-- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
-- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
+- **[Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry)** — Uses your CRE login session. No wallet, no gas, no Ethereum Mainnet RPC required for registry operations.
+- **[Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry)** — Requires a linked wallet key and ETH on Ethereum Mainnet for registry transaction gas.
---
@@ -5268,7 +5003,9 @@ Last Updated: 2026-05-06
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
-The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+The **private registry** is a Chainlink-hosted, offchain workflow registry. All lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+This is the default registry for new projects initialized with `cre init`. For a comparison of both registry options, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
@@ -5282,7 +5019,7 @@ Before deploying to the private registry, ensure you have:
- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
-- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output. If no private registry appears, contact your Chainlink account team. Organizations are limited to **3 private registry workflows** by default — see [Service Quotas](/cre/service-quotas#registry-quotas).
- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
Unlike the public onchain registry, you do **not** need:
@@ -5292,34 +5029,11 @@ Unlike the public onchain registry, you do **not** need:
- An Ethereum Mainnet RPC URL in `project.yaml`
- ETH for gas
-## Step 1: Confirm the private registry is available
+## Step 1: Set `deployment-registry` in your `workflow.yaml`
-Run `cre registry list` to see the registries available to your organization:
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Private (off-chain) registries appear first with the cursor pre-selected on them. Selecting `private` writes `deployment-registry: "private"` into both targets of the generated `workflow.yaml` automatically — you can skip the manual step below.
-```bash
-cre registry list
-```
-
-**Example output:**
-
-```
-Registries available to your organization
-
-ethereum-mainnet (0x4Ac5...E7e5)
- ID: onchain:ethereum-mainnet
- Type: on-chain
- Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
-
-Private (Chainlink-hosted)
- ID: private
- Type: off-chain
-```
-
-You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
-
-## Step 2: Add `deployment-registry` to your `workflow.yaml`
-
-Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+If you skipped the step, used `--non-interactive` without `--deployment-registry`, or are adding a new target to an existing project, add `deployment-registry: "private"` under the `user-workflow` section manually:
**TypeScript:**
@@ -5349,14 +5063,12 @@ staging-settings:
secrets-path: ""
```
-The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
-
`deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
-## Step 3: Deploy the workflow
+## Step 2: Deploy the workflow
From your project root, run the deploy command with your target:
@@ -5397,7 +5109,7 @@ Details:
The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
-## Step 4: Verify the deployment
+## Step 3: Verify the deployment
Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
@@ -5537,13 +5249,273 @@ jobs:
## Next steps
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry) — Deploy with a linked wallet key and onchain record
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
---
+# Deploying to the Onchain Registry
+Source: https://docs.chain.link/cre/guides/operations/deploying-to-onchain-registry
+Last Updated: 2026-05-06
+
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **public onchain registry** is the Workflow Registry contract on Ethereum Mainnet. Deploying to it records your workflow onchain — your linked wallet address becomes the workflow owner and every lifecycle operation (deploy, activate, pause, update, delete) submits a transaction to that contract.
+
+For a lower-friction alternative that requires no wallet or gas for registry management, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
+
+## Prerequisites
+
+Before deploying to the onchain registry, ensure you have:
+
+- **Early Access approval**: Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
+- **[Linked your key](/cre/organization/linking-keys)**: Linked your EOA or multi-sig wallet to your CRE organization by running `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys) for instructions.
+- **A funded wallet**: The account you are deploying from must hold ETH on Ethereum Mainnet to pay gas for the registration transaction.
+- **`CRE_ETH_PRIVATE_KEY` in your `.env`**: Your wallet's private key, used by the CLI to sign registry transactions.
+- **An Ethereum Mainnet RPC URL in `project.yaml`**: Required for the CLI to submit transactions. Example: `https://ethereum-rpc.publicnode.com`.
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+## The deployment process
+
+The `cre workflow deploy` command handles the entire end-to-end process:
+
+1. **Compiles** your workflow to a WASM binary.
+2. **Uploads** the compiled binary and any associated configuration files to the CRE Storage Service.
+3. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on Ethereum Mainnet. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet`. The transaction contains the workflow's name, owner, and artifact URLs.
+
+
+
+ Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
+
+
+### Step 1: Ensure your configuration is correct
+
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment.
+
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Selecting `onchain:ethereum-mainnet` writes `deployment-registry: "onchain:ethereum-mainnet"` into the generated `workflow.yaml` automatically. If you chose the onchain registry during init, your config is already set.
+
+If you initialized without selecting a registry, or are adding a new target, add `deployment-registry: "onchain:ethereum-mainnet"` explicitly. The field is optional — when omitted the CLI defaults to onchain — but setting it is recommended to make the intent clear.
+
+```yaml
+# workflow.yaml
+production-settings:
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts" # Go: "."
+ config-path: "./config.production.json"
+ secrets-path: ""
+```
+
+If you are deploying from a **multi-sig wallet**, specify your multi-sig address in the `workflow-owner-address` field. If deploying from a standard EOA, leave this field out — the owner is automatically derived from `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+
+For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+
+### Step 2: Run the deploy command
+
+**From your project root directory**, run the `deploy` command with the path to your workflow folder:
+
+```bash
+cre workflow deploy [flags]
+```
+
+Example command targeting the `production-settings` environment:
+
+```bash
+cre workflow deploy my-workflow --target production-settings
+```
+
+**Available flags:**
+
+| Flag | Description |
+| ---------------- | --------------------------------------------------------------------------------------- |
+| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
+| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
+| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
+| `--config` | Override the config file path from `workflow.yaml` |
+| `--no-config` | Deploy without a config file |
+| `--unsigned` | Return the raw transaction instead of broadcasting it (for multi-sig wallets) |
+| `--yes` | Skip confirmation prompts and proceed with the operation |
+| `--project-root` | Path to the project root directory |
+| `--env` | Path to your `.env` file (default: `".env"`) |
+| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
+
+### Step 3: Monitor the output
+
+The CLI provides detailed logs of the compilation, upload, and the onchain registration transaction:
+
+```bash
+> cre workflow deploy my-workflow --target production-settings
+
+Deploying Workflow : my-workflow
+Target : production-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Verifying ownership...
+Workflow owner link status: owner=, linked=true
+Key ownership verified
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Preparing deployment transaction...
+Preparing transaction for workflowID:
+Transaction details:
+ Chain Name: ethereum-mainnet
+ To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Function: UpsertWorkflow
+ Inputs:
+ [0]: my-workflow
+ [1]: my-workflow
+ [2]:
+ [3]: 0
+ [4]: zone-a
+ [5]: https://storage.cre.example.com/artifacts//binary.wasm
+ [6]: https://storage.cre.example.com/artifacts//config
+ [7]: 0x
+ [8]: false
+ Data: b377bfc50000000000000000000000000000000000...
+Estimated Cost:
+ Gas Price: 0.00100001 gwei
+ Total Cost: 0.00000079 ETH
+? Do you want to execute this transaction?:
+ ▸ Yes
+ No
+
+Transaction confirmed
+View on explorer: https://etherscan.io/tx/0x58599f6...d916b
+
+✓ Workflow deployed successfully
+
+Details:
+ Registry: onchain:ethereum-mainnet
+ Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Transaction hash: 0x58599f6...d916b
+ Workflow Name: my-workflow
+ Workflow ID:
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+```
+
+## Verifying your deployment
+
+After a successful deployment, verify your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization and its current status.
+
+2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see the workflow's status, ID, and execution history.
+
+3. **Block Explorer**: The CLI output includes the transaction hash. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+
+## CI/CD pipeline integration
+
+The `cre workflow build` and `cre workflow deploy` commands can run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
+
+The separation gives you two key benefits:
+
+- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
+- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
+
+### Example: GitHub Actions
+
+The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
+
+```yaml
+# .github/workflows/deploy.yml
+name: Deploy Workflow
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Build workflow
+ run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+
+ - name: Display content hashes
+ run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+
+ - name: Upload artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow/binary.wasm
+
+ deploy:
+ needs: build
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Download artifact
+ uses: actions/download-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+ INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
+```
+
+
+
+ Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+
+
+ Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
+
+
+## Using multi-sig wallets
+
+The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+
+For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows) — Track your workflow's execution and performance
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Deploy new versions of your workflow
+- [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets) — Multi-sig wallet setup and transaction signing
+
+---
+
# Activating & Pausing Workflows
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
@@ -5563,7 +5535,7 @@ Before activating or pausing workflows, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -5734,7 +5706,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -5798,7 +5770,7 @@ Before deleting a workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -9446,7 +9418,7 @@ Private (Chainlink-hosted)
Type: off-chain
```
-The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#comparing-registries).
If no registries are found for your environment, the command prints a warning and exits cleanly.
diff --git a/src/content/cre/reference/cli/registry.mdx b/src/content/cre/reference/cli/registry.mdx
index 6ba3e83940b..d0f2c6990db 100644
--- a/src/content/cre/reference/cli/registry.mdx
+++ b/src/content/cre/reference/cli/registry.mdx
@@ -58,7 +58,7 @@ Private (Chainlink-hosted)
Type: off-chain
```
-The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#comparing-registries).
If no registries are found for your environment, the command prints a warning and exits cleanly.
From 9339a8e086c03642155bd9bb1259d9f66cf4f25b Mon Sep 17 00:00:00 2001
From: devin distefano
Date: Tue, 12 May 2026 17:37:37 -0500
Subject: [PATCH 5/9] added some warnings
---
.../deploying-to-private-registry.mdx | 13 +++++
.../http-trigger/local-testing-tool.mdx | 12 +++++
.../http-trigger/overview-go.mdx | 12 ++---
.../http-trigger/overview-ts.mdx | 12 ++---
.../triggering-deployed-workflows.mdx | 13 ++++-
src/content/cre/llms-full-go.txt | 48 ++++++++++++++++---
src/content/cre/llms-full-ts.txt | 48 ++++++++++++++++---
7 files changed, 131 insertions(+), 27 deletions(-)
diff --git a/src/content/cre/guides/operations/deploying-to-private-registry.mdx b/src/content/cre/guides/operations/deploying-to-private-registry.mdx
index 0d4693d7853..7af9678e485 100644
--- a/src/content/cre/guides/operations/deploying-to-private-registry.mdx
+++ b/src/content/cre/guides/operations/deploying-to-private-registry.mdx
@@ -259,6 +259,19 @@ jobs:
Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+## HTTP triggers with the private registry
+
+If your private registry workflow uses an HTTP trigger, note that the gateway endpoint is different from the public registry:
+
+| Registry | HTTP trigger gateway URL |
+| ----------------- | ------------------------------------------------------ |
+| Public (on-chain) | `https://01.gateway.zone-a.cre.chain.link` |
+| **Private** | `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
+
+Update your `GATEWAY_URL` (or equivalent configuration) wherever you send trigger requests (in local testing, CI scripts, or backend integrations) to use the enterprise gateway URL when targeting private registry workflows.
+
+See [Triggering Deployed Workflows](/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows) for the full HTTP trigger request format and authentication details.
+
## Next steps
- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
diff --git a/src/content/cre/guides/workflow/using-triggers/http-trigger/local-testing-tool.mdx b/src/content/cre/guides/workflow/using-triggers/http-trigger/local-testing-tool.mdx
index 2059b6f2497..d6dcf1ac95c 100644
--- a/src/content/cre/guides/workflow/using-triggers/http-trigger/local-testing-tool.mdx
+++ b/src/content/cre/guides/workflow/using-triggers/http-trigger/local-testing-tool.mdx
@@ -72,6 +72,18 @@ GATEWAY_URL=https://01.gateway.zone-a.cre.chain.link
Replace `0xYourPrivateKeyHere` with your EVM private key.
+{/* prettier-ignore */}
+
+ If your workflow is deployed to the **private registry** (`deployment-registry: "private"`), set `GATEWAY_URL` to:
+
+```
+GATEWAY_URL=https://01.enterprise-gateway.zone-a.cre.chain.link/
+```
+
+Use `https://01.gateway.zone-a.cre.chain.link` for workflows deployed to the public onchain registry.
+
+
+
Never commit `.env` files to version control. Add `.env` to your `.gitignore` file. The package repository already
includes `.env` in `.gitignore` by default.
diff --git a/src/content/cre/guides/workflow/using-triggers/http-trigger/overview-go.mdx b/src/content/cre/guides/workflow/using-triggers/http-trigger/overview-go.mdx
index 328efff58e0..92917867dd5 100644
--- a/src/content/cre/guides/workflow/using-triggers/http-trigger/overview-go.mdx
+++ b/src/content/cre/guides/workflow/using-triggers/http-trigger/overview-go.mdx
@@ -54,12 +54,12 @@ This section provides everything you need to work with HTTP triggers:
## Quick comparison: Simulation vs Production
-| Aspect | Simulation | Production |
-| ------------------ | ------------------------------- | -------------------------------------------------------- |
-| **Authorization** | Optional (can use empty config) | Required (`authorizedKeys` must be configured) |
-| **Trigger method** | CLI with `--input` flag | HTTP POST to gateway endpoint with JWT |
-| **Endpoint** | Local simulator | CRE gateway (`https://01.gateway.zone-a.cre.chain.link`) |
-| **Use case** | Development, testing, debugging | Live integrations, webhooks, production APIs |
+| Aspect | Simulation | Production |
+| ------------------ | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Authorization** | Optional (can use empty config) | Required (`authorizedKeys` must be configured) |
+| **Trigger method** | CLI with `--input` flag | HTTP POST to gateway endpoint with JWT |
+| **Endpoint** | Local simulator | CRE gateway — public registry: `https://01.gateway.zone-a.cre.chain.link` / private registry: `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
+| **Use case** | Development, testing, debugging | Live integrations, webhooks, production APIs |
## Key concepts
diff --git a/src/content/cre/guides/workflow/using-triggers/http-trigger/overview-ts.mdx b/src/content/cre/guides/workflow/using-triggers/http-trigger/overview-ts.mdx
index 1b7e134a200..794dc7441ee 100644
--- a/src/content/cre/guides/workflow/using-triggers/http-trigger/overview-ts.mdx
+++ b/src/content/cre/guides/workflow/using-triggers/http-trigger/overview-ts.mdx
@@ -54,12 +54,12 @@ This section provides everything you need to work with HTTP triggers:
## Quick comparison: Simulation vs Production
-| Aspect | Simulation | Production |
-| ------------------ | ------------------------------- | -------------------------------------------------------- |
-| **Authorization** | Optional (can use empty config) | Required (`authorizedKeys` must be configured) |
-| **Trigger method** | CLI with `--input` flag | HTTP POST to gateway endpoint with JWT |
-| **Endpoint** | Local simulator | CRE gateway (`https://01.gateway.zone-a.cre.chain.link`) |
-| **Use case** | Development, testing, debugging | Live integrations, webhooks, production APIs |
+| Aspect | Simulation | Production |
+| ------------------ | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Authorization** | Optional (can use empty config) | Required (`authorizedKeys` must be configured) |
+| **Trigger method** | CLI with `--input` flag | HTTP POST to gateway endpoint with JWT |
+| **Endpoint** | Local simulator | CRE gateway — public registry: `https://01.gateway.zone-a.cre.chain.link` / private registry: `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
+| **Use case** | Development, testing, debugging | Live integrations, webhooks, production APIs |
## Key concepts
diff --git a/src/content/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows.mdx b/src/content/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows.mdx
index 87b5efe2876..af218ab45ba 100644
--- a/src/content/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows.mdx
+++ b/src/content/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows.mdx
@@ -68,6 +68,17 @@ Details:
All workflow executions use JSON-RPC 2.0 format:
+{/* prettier-ignore */}
+
+ The gateway URL differs based on how your workflow is deployed:
+
+- **Public (onchain) registry**: `https://01.gateway.zone-a.cre.chain.link`
+- **Private registry** (`deployment-registry: "private"`): `https://01.enterprise-gateway.zone-a.cre.chain.link/`
+
+Use the URL that matches the registry your workflow is deployed to. Run `cre registry list` or check your `workflow.yaml` if you're unsure.
+
+
+
```http
POST https://01.gateway.zone-a.cre.chain.link
Content-Type: application/json
@@ -230,7 +241,7 @@ If you're testing deployed workflows during development, use the [Local Testing
## Example request (conceptual)
-Here's what a complete curl request looks like:
+Here's what a complete curl request looks like (using the public registry gateway — substitute `https://01.enterprise-gateway.zone-a.cre.chain.link/` if your workflow is deployed to the private registry):
```bash
curl -X POST https://01.gateway.zone-a.cre.chain.link \
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 82e86c88478..a1dd4e48c90 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -1814,6 +1814,16 @@ Details:
All workflow executions use JSON-RPC 2.0 format:
+
+
+ The gateway URL differs based on how your workflow is deployed:
+
+ - **Public (onchain) registry**: `https://01.gateway.zone-a.cre.chain.link`
+ - **Private registry** (`deployment-registry: "private"`): `https://01.enterprise-gateway.zone-a.cre.chain.link/`
+
+ Use the URL that matches the registry your workflow is deployed to. Run `cre registry list` or check your `workflow.yaml` if you're unsure.
+
+
```http
POST https://01.gateway.zone-a.cre.chain.link
Content-Type: application/json
@@ -1976,7 +1986,7 @@ If you're testing deployed workflows during development, use the [Local Testing
## Example request (conceptual)
-Here's what a complete curl request looks like:
+Here's what a complete curl request looks like (using the public registry gateway — substitute `https://01.enterprise-gateway.zone-a.cre.chain.link/` if your workflow is deployed to the private registry):
```bash
curl -X POST https://01.gateway.zone-a.cre.chain.link \
@@ -2167,6 +2177,17 @@ GATEWAY_URL=https://01.gateway.zone-a.cre.chain.link
Replace `0xYourPrivateKeyHere` with your EVM private key.
+
+
+ If your workflow is deployed to the **private registry** (`deployment-registry: "private"`), set `GATEWAY_URL` to:
+
+ ```
+ GATEWAY_URL=https://01.enterprise-gateway.zone-a.cre.chain.link/
+ ```
+
+ Use `https://01.gateway.zone-a.cre.chain.link` for workflows deployed to the public onchain registry.
+
+
Never commit `.env` files to version control. Add `.env` to your `.gitignore` file. The package repository already
includes `.env` in `.gitignore` by default.
@@ -6186,6 +6207,19 @@ jobs:
Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+## HTTP triggers with the private registry
+
+If your private registry workflow uses an HTTP trigger, note that the gateway endpoint is different from the public registry:
+
+| Registry | HTTP trigger gateway URL |
+| ----------------- | ------------------------------------------------------ |
+| Public (on-chain) | `https://01.gateway.zone-a.cre.chain.link` |
+| **Private** | `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
+
+Update your `GATEWAY_URL` (or equivalent configuration) wherever you send trigger requests (in local testing, CI scripts, or backend integrations) to use the enterprise gateway URL when targeting private registry workflows.
+
+See [Triggering Deployed Workflows](/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows) for the full HTTP trigger request format and authentication details.
+
## Next steps
- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
@@ -16422,12 +16456,12 @@ This section provides everything you need to work with HTTP triggers:
## Quick comparison: Simulation vs Production
-| Aspect | Simulation | Production |
-| ------------------ | ------------------------------- | -------------------------------------------------------- |
-| **Authorization** | Optional (can use empty config) | Required (`authorizedKeys` must be configured) |
-| **Trigger method** | CLI with `--input` flag | HTTP POST to gateway endpoint with JWT |
-| **Endpoint** | Local simulator | CRE gateway (`https://01.gateway.zone-a.cre.chain.link`) |
-| **Use case** | Development, testing, debugging | Live integrations, webhooks, production APIs |
+| Aspect | Simulation | Production |
+| ------------------ | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Authorization** | Optional (can use empty config) | Required (`authorizedKeys` must be configured) |
+| **Trigger method** | CLI with `--input` flag | HTTP POST to gateway endpoint with JWT |
+| **Endpoint** | Local simulator | CRE gateway — public registry: `https://01.gateway.zone-a.cre.chain.link` / private registry: `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
+| **Use case** | Development, testing, debugging | Live integrations, webhooks, production APIs |
## Key concepts
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index 92f4928da2a..6a6c7d598ac 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -1800,6 +1800,16 @@ Details:
All workflow executions use JSON-RPC 2.0 format:
+
+
+ The gateway URL differs based on how your workflow is deployed:
+
+ - **Public (onchain) registry**: `https://01.gateway.zone-a.cre.chain.link`
+ - **Private registry** (`deployment-registry: "private"`): `https://01.enterprise-gateway.zone-a.cre.chain.link/`
+
+ Use the URL that matches the registry your workflow is deployed to. Run `cre registry list` or check your `workflow.yaml` if you're unsure.
+
+
```http
POST https://01.gateway.zone-a.cre.chain.link
Content-Type: application/json
@@ -1962,7 +1972,7 @@ If you're testing deployed workflows during development, use the [Local Testing
## Example request (conceptual)
-Here's what a complete curl request looks like:
+Here's what a complete curl request looks like (using the public registry gateway — substitute `https://01.enterprise-gateway.zone-a.cre.chain.link/` if your workflow is deployed to the private registry):
```bash
curl -X POST https://01.gateway.zone-a.cre.chain.link \
@@ -2153,6 +2163,17 @@ GATEWAY_URL=https://01.gateway.zone-a.cre.chain.link
Replace `0xYourPrivateKeyHere` with your EVM private key.
+
+
+ If your workflow is deployed to the **private registry** (`deployment-registry: "private"`), set `GATEWAY_URL` to:
+
+ ```
+ GATEWAY_URL=https://01.enterprise-gateway.zone-a.cre.chain.link/
+ ```
+
+ Use `https://01.gateway.zone-a.cre.chain.link` for workflows deployed to the public onchain registry.
+
+
Never commit `.env` files to version control. Add `.env` to your `.gitignore` file. The package repository already
includes `.env` in `.gitignore` by default.
@@ -5285,6 +5306,19 @@ jobs:
Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+## HTTP triggers with the private registry
+
+If your private registry workflow uses an HTTP trigger, note that the gateway endpoint is different from the public registry:
+
+| Registry | HTTP trigger gateway URL |
+| ----------------- | ------------------------------------------------------ |
+| Public (on-chain) | `https://01.gateway.zone-a.cre.chain.link` |
+| **Private** | `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
+
+Update your `GATEWAY_URL` (or equivalent configuration) wherever you send trigger requests (in local testing, CI scripts, or backend integrations) to use the enterprise gateway URL when targeting private registry workflows.
+
+See [Triggering Deployed Workflows](/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows) for the full HTTP trigger request format and authentication details.
+
## Next steps
- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
@@ -16349,12 +16383,12 @@ This section provides everything you need to work with HTTP triggers:
## Quick comparison: Simulation vs Production
-| Aspect | Simulation | Production |
-| ------------------ | ------------------------------- | -------------------------------------------------------- |
-| **Authorization** | Optional (can use empty config) | Required (`authorizedKeys` must be configured) |
-| **Trigger method** | CLI with `--input` flag | HTTP POST to gateway endpoint with JWT |
-| **Endpoint** | Local simulator | CRE gateway (`https://01.gateway.zone-a.cre.chain.link`) |
-| **Use case** | Development, testing, debugging | Live integrations, webhooks, production APIs |
+| Aspect | Simulation | Production |
+| ------------------ | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Authorization** | Optional (can use empty config) | Required (`authorizedKeys` must be configured) |
+| **Trigger method** | CLI with `--input` flag | HTTP POST to gateway endpoint with JWT |
+| **Endpoint** | Local simulator | CRE gateway — public registry: `https://01.gateway.zone-a.cre.chain.link` / private registry: `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
+| **Use case** | Development, testing, debugging | Live integrations, webhooks, production APIs |
## Key concepts
From 5da201d7fdbbea644cc9ad06776b4adbab2927dc Mon Sep 17 00:00:00 2001
From: devin distefano
Date: Tue, 12 May 2026 17:38:36 -0500
Subject: [PATCH 6/9] fix deploying-workflows page
---
src/content/cre/guides/operations/deploying-workflows.mdx | 6 +-----
src/content/cre/llms-full-go.txt | 2 +-
src/content/cre/llms-full-ts.txt | 2 +-
3 files changed, 3 insertions(+), 7 deletions(-)
diff --git a/src/content/cre/guides/operations/deploying-workflows.mdx b/src/content/cre/guides/operations/deploying-workflows.mdx
index b55363db507..ac5091089db 100644
--- a/src/content/cre/guides/operations/deploying-workflows.mdx
+++ b/src/content/cre/guides/operations/deploying-workflows.mdx
@@ -5,11 +5,7 @@ title: "Deploying Workflows"
metadata:
description: "Deploy your workflow: understand the two CRE registry models and choose the right deployment path for your project."
datePublished: "2025-11-04"
-<<<<<<< HEAD
- lastModified: "2026-05-06"
-=======
- lastModified: "2026-05-08"
->>>>>>> origin/main
+ lastModified: "2026-05-12"
---
import { Aside } from "@components"
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index a1dd4e48c90..408a309f484 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -5878,7 +5878,7 @@ If your workflow requires higher limits than the defaults, you can request a lim
# Deploying Workflows
Source: https://docs.chain.link/cre/guides/operations/deploying-workflows
-Last Updated: 2026-05-06
+Last Updated: 2026-05-12
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index 6a6c7d598ac..f1b42844e44 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -4977,7 +4977,7 @@ If your workflow requires higher limits than the defaults, you can request a lim
# Deploying Workflows
Source: https://docs.chain.link/cre/guides/operations/deploying-workflows
-Last Updated: 2026-05-06
+Last Updated: 2026-05-12
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
From 55ce1583f0afa38013419cc2102f97ed5e2ae04c Mon Sep 17 00:00:00 2001
From: devin distefano
Date: Tue, 12 May 2026 17:58:54 -0500
Subject: [PATCH 7/9] broke out pages for ts and go
---
src/config/sidebar.ts | 8 +
...x => deploying-to-onchain-registry-go.mdx} | 13 +-
.../deploying-to-onchain-registry-ts.mdx | 272 +
.../deploying-to-private-registry-go.mdx | 272 +
...x => deploying-to-private-registry-ts.mdx} | 53 +-
src/content/cre/llms-full-go.txt | 7454 ++++++++---------
src/content/cre/llms-full-ts.txt | 6166 +++++++-------
7 files changed, 7388 insertions(+), 6850 deletions(-)
rename src/content/cre/guides/operations/{deploying-to-onchain-registry.mdx => deploying-to-onchain-registry-go.mdx} (96%)
create mode 100644 src/content/cre/guides/operations/deploying-to-onchain-registry-ts.mdx
create mode 100644 src/content/cre/guides/operations/deploying-to-private-registry-go.mdx
rename src/content/cre/guides/operations/{deploying-to-private-registry.mdx => deploying-to-private-registry-ts.mdx} (92%)
diff --git a/src/config/sidebar.ts b/src/config/sidebar.ts
index f9ad9aef1b5..179efcaebab 100644
--- a/src/config/sidebar.ts
+++ b/src/config/sidebar.ts
@@ -453,10 +453,18 @@ export const SIDEBAR: Partial> = {
{
title: "Deploying to the Private Registry",
url: "cre/guides/operations/deploying-to-private-registry",
+ highlightAsCurrent: [
+ "cre/guides/operations/deploying-to-private-registry-ts",
+ "cre/guides/operations/deploying-to-private-registry-go",
+ ],
},
{
title: "Deploying to the Onchain Registry",
url: "cre/guides/operations/deploying-to-onchain-registry",
+ highlightAsCurrent: [
+ "cre/guides/operations/deploying-to-onchain-registry-ts",
+ "cre/guides/operations/deploying-to-onchain-registry-go",
+ ],
},
],
},
diff --git a/src/content/cre/guides/operations/deploying-to-onchain-registry.mdx b/src/content/cre/guides/operations/deploying-to-onchain-registry-go.mdx
similarity index 96%
rename from src/content/cre/guides/operations/deploying-to-onchain-registry.mdx
rename to src/content/cre/guides/operations/deploying-to-onchain-registry-go.mdx
index 4a5f89075e4..c6c37701d1f 100644
--- a/src/content/cre/guides/operations/deploying-to-onchain-registry.mdx
+++ b/src/content/cre/guides/operations/deploying-to-onchain-registry-go.mdx
@@ -2,14 +2,21 @@
section: cre
date: Last Modified
title: "Deploying to the Onchain Registry"
+sdkLang: "go"
+pageId: "operations-deploying-to-onchain-registry"
metadata:
description: "Deploy CRE workflows to the public Workflow Registry contract on Ethereum Mainnet using a linked wallet key."
datePublished: "2026-05-06"
- lastModified: "2026-05-06"
+ lastModified: "2026-05-12"
---
import { Aside } from "@components"
+{/* prettier-ignore */}
+
+ This page covers deployment to the onchain registry for Go workflows. For TypeScript workflows, see [Deploying to the Onchain Registry (TypeScript)](/cre/guides/operations/deploying-to-onchain-registry-ts).
+
+
{/* prettier-ignore */}
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
@@ -29,7 +36,7 @@ Before deploying to the onchain registry, ensure you have:
- **A funded wallet**: The account you are deploying from must hold ETH on Ethereum Mainnet to pay gas for the registration transaction.
- **`CRE_ETH_PRIVATE_KEY` in your `.env`**: Your wallet's private key, used by the CLI to sign registry transactions.
- **An Ethereum Mainnet RPC URL in `project.yaml`**: Required for the CLI to submit transactions. Example: `https://ethereum-rpc.publicnode.com`.
-- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup (Go)](/cre/getting-started/part-1-project-setup-go).
## The deployment process
@@ -59,7 +66,7 @@ production-settings:
workflow-name: "my-workflow-production"
deployment-registry: "onchain:ethereum-mainnet"
workflow-artifacts:
- workflow-path: "./main.ts" # Go: "."
+ workflow-path: "."
config-path: "./config.production.json"
secrets-path: ""
```
diff --git a/src/content/cre/guides/operations/deploying-to-onchain-registry-ts.mdx b/src/content/cre/guides/operations/deploying-to-onchain-registry-ts.mdx
new file mode 100644
index 00000000000..6d366110a50
--- /dev/null
+++ b/src/content/cre/guides/operations/deploying-to-onchain-registry-ts.mdx
@@ -0,0 +1,272 @@
+---
+section: cre
+date: Last Modified
+title: "Deploying to the Onchain Registry"
+sdkLang: "ts"
+pageId: "operations-deploying-to-onchain-registry"
+metadata:
+ description: "Deploy CRE workflows to the public Workflow Registry contract on Ethereum Mainnet using a linked wallet key."
+ datePublished: "2026-05-06"
+ lastModified: "2026-05-12"
+---
+
+import { Aside } from "@components"
+
+{/* prettier-ignore */}
+
+ This page covers deployment to the onchain registry for TypeScript workflows. For Go workflows, see [Deploying to the Onchain Registry (Go)](/cre/guides/operations/deploying-to-onchain-registry-go).
+
+
+{/* prettier-ignore */}
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **public onchain registry** is the Workflow Registry contract on Ethereum Mainnet. Deploying to it records your workflow onchain — your linked wallet address becomes the workflow owner and every lifecycle operation (deploy, activate, pause, update, delete) submits a transaction to that contract.
+
+For a lower-friction alternative that requires no wallet or gas for registry management, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
+
+## Prerequisites
+
+Before deploying to the onchain registry, ensure you have:
+
+- **Early Access approval**: Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
+- **[Linked your key](/cre/organization/linking-keys)**: Linked your EOA or multi-sig wallet to your CRE organization by running `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys) for instructions.
+- **A funded wallet**: The account you are deploying from must hold ETH on Ethereum Mainnet to pay gas for the registration transaction.
+- **`CRE_ETH_PRIVATE_KEY` in your `.env`**: Your wallet's private key, used by the CLI to sign registry transactions.
+- **An Ethereum Mainnet RPC URL in `project.yaml`**: Required for the CLI to submit transactions. Example: `https://ethereum-rpc.publicnode.com`.
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup (TypeScript)](/cre/getting-started/part-1-project-setup-ts).
+
+## The deployment process
+
+The `cre workflow deploy` command handles the entire end-to-end process:
+
+1. **Compiles** your workflow to a WASM binary.
+1. **Uploads** the compiled binary and any associated configuration files to the CRE Storage Service.
+1. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on Ethereum Mainnet. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet`. The transaction contains the workflow's name, owner, and artifact URLs.
+
+{/* prettier-ignore */}
+
+Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
+
+
+### Step 1: Ensure your configuration is correct
+
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment.
+
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Selecting `onchain:ethereum-mainnet` writes `deployment-registry: "onchain:ethereum-mainnet"` into the generated `workflow.yaml` automatically. If you chose the onchain registry during init, your config is already set.
+
+If you initialized without selecting a registry, or are adding a new target, add `deployment-registry: "onchain:ethereum-mainnet"` explicitly. The field is optional — when omitted the CLI defaults to onchain — but setting it is recommended to make the intent clear.
+
+```yaml
+# workflow.yaml
+production-settings:
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.production.json"
+ secrets-path: ""
+```
+
+If you are deploying from a **multi-sig wallet**, specify your multi-sig address in the `workflow-owner-address` field. If deploying from a standard EOA, leave this field out — the owner is automatically derived from `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+
+For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+
+### Step 2: Run the deploy command
+
+**From your project root directory**, run the `deploy` command with the path to your workflow folder:
+
+```bash
+cre workflow deploy [flags]
+```
+
+Example command targeting the `production-settings` environment:
+
+```bash
+cre workflow deploy my-workflow --target production-settings
+```
+
+**Available flags:**
+
+| Flag | Description |
+| ---------------- | --------------------------------------------------------------------------------------- |
+| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
+| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
+| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
+| `--config` | Override the config file path from `workflow.yaml` |
+| `--no-config` | Deploy without a config file |
+| `--unsigned` | Return the raw transaction instead of broadcasting it (for multi-sig wallets) |
+| `--yes` | Skip confirmation prompts and proceed with the operation |
+| `--project-root` | Path to the project root directory |
+| `--env` | Path to your `.env` file (default: `".env"`) |
+| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
+
+### Step 3: Monitor the output
+
+The CLI provides detailed logs of the compilation, upload, and the onchain registration transaction:
+
+```bash
+> cre workflow deploy my-workflow --target production-settings
+
+Deploying Workflow : my-workflow
+Target : production-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Verifying ownership...
+Workflow owner link status: owner=, linked=true
+Key ownership verified
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Preparing deployment transaction...
+Preparing transaction for workflowID:
+Transaction details:
+ Chain Name: ethereum-mainnet
+ To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Function: UpsertWorkflow
+ Inputs:
+ [0]: my-workflow
+ [1]: my-workflow
+ [2]:
+ [3]: 0
+ [4]: zone-a
+ [5]: https://storage.cre.example.com/artifacts//binary.wasm
+ [6]: https://storage.cre.example.com/artifacts//config
+ [7]: 0x
+ [8]: false
+ Data: b377bfc50000000000000000000000000000000000...
+Estimated Cost:
+ Gas Price: 0.00100001 gwei
+ Total Cost: 0.00000079 ETH
+? Do you want to execute this transaction?:
+ ▸ Yes
+ No
+
+Transaction confirmed
+View on explorer: https://etherscan.io/tx/0x58599f6...d916b
+
+✓ Workflow deployed successfully
+
+Details:
+ Registry: onchain:ethereum-mainnet
+ Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Transaction hash: 0x58599f6...d916b
+ Workflow Name: my-workflow
+ Workflow ID:
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+```
+
+## Verifying your deployment
+
+After a successful deployment, verify your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization and its current status.
+
+1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see the workflow's status, ID, and execution history.
+
+1. **Block Explorer**: The CLI output includes the transaction hash. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+
+## CI/CD pipeline integration
+
+The `cre workflow build` and `cre workflow deploy` commands can run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
+
+The separation gives you two key benefits:
+
+- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
+- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
+
+### Example: GitHub Actions
+
+The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
+
+```yaml
+# .github/workflows/deploy.yml
+name: Deploy Workflow
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Build workflow
+ run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+
+ - name: Display content hashes
+ run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+
+ - name: Upload artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow/binary.wasm
+
+ deploy:
+ needs: build
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Download artifact
+ uses: actions/download-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+ INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
+```
+
+{/* prettier-ignore */}
+
+ Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+{/* prettier-ignore */}
+
+ Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
+
+
+## Using multi-sig wallets
+
+The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+
+For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows) — Track your workflow's execution and performance
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Deploy new versions of your workflow
+- [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets) — Multi-sig wallet setup and transaction signing
diff --git a/src/content/cre/guides/operations/deploying-to-private-registry-go.mdx b/src/content/cre/guides/operations/deploying-to-private-registry-go.mdx
new file mode 100644
index 00000000000..b883b9b1e4d
--- /dev/null
+++ b/src/content/cre/guides/operations/deploying-to-private-registry-go.mdx
@@ -0,0 +1,272 @@
+---
+section: cre
+date: Last Modified
+title: "Deploying to the Private Registry"
+sdkLang: "go"
+pageId: "operations-deploying-to-private-registry"
+metadata:
+ description: "Deploy and manage CRE workflows using the Chainlink-hosted private registry — no linked wallet, no gas, and no Ethereum Mainnet RPC required for registry operations."
+ datePublished: "2026-05-06"
+ lastModified: "2026-05-12"
+---
+
+import { Aside } from "@components"
+
+{/* prettier-ignore */}
+
+ This page covers deployment to the private registry for Go workflows. For TypeScript workflows, see [Deploying to the Private Registry (TypeScript)](/cre/guides/operations/deploying-to-private-registry-ts).
+
+
+{/* prettier-ignore */}
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **private registry** is a Chainlink-hosted, offchain workflow registry. All lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+This is the default registry for new projects initialized with `cre init`. For a comparison of both registry options, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
+
+{/* prettier-ignore */}
+
+ The private registry is a private, centralized control plane for workflow management. **It does not make workflow execution confidential.** See [Private workflow](/cre/key-terms#private-workflow) in Key Terms for the distinction.
+
+
+## Prerequisites
+
+Before deploying to the private registry, ensure you have:
+
+- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
+- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output. If no private registry appears, contact your Chainlink account team. Organizations are limited to **3 private registry workflows** by default — see [Service Quotas](/cre/service-quotas#registry-quotas).
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup (Go)](/cre/getting-started/part-1-project-setup-go).
+
+Unlike the public onchain registry, you do **not** need:
+
+- A linked wallet key (`cre account link-key`)
+- `CRE_ETH_PRIVATE_KEY` in your `.env` file
+- An Ethereum Mainnet RPC URL in `project.yaml`
+- ETH for gas
+
+## Step 1: Set `deployment-registry` in your `workflow.yaml`
+
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Private (off-chain) registries appear first with the cursor pre-selected on them. Selecting `private` writes `deployment-registry: "private"` into both targets of the generated `workflow.yaml` automatically — you can skip the manual step below.
+
+If you skipped the step, used `--non-interactive` without `--deployment-registry`, or are adding a new target to an existing project, add `deployment-registry: "private"` under the `user-workflow` section manually:
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "."
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+{/* prettier-ignore */}
+
+ `deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
+
+
+## Step 2: Deploy the workflow
+
+From your project root, run the deploy command with your target:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with the private registry using your CRE login session. There is no transaction prompt.
+
+**Example output:**
+
+```
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.staging.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
+The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
+
+## Step 3: Verify the deployment
+
+Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
+
+```bash
+cre workflow list
+```
+
+Workflows deployed to the private registry are tagged with the registry ID `private` in the list output. You can also filter to only show private registry workflows:
+
+```bash
+cre workflow list --registry private
+```
+
+You can also view the workflow in the [CRE platform](https://app.chain.link/cre/discover) under **Workflows**.
+
+## Managing a private registry workflow
+
+All standard lifecycle commands work the same way for private registry workflows. The CLI routes the operation through the Chainlink-hosted registry automatically based on the `deployment-registry` value in your `workflow.yaml`.
+
+### Activate
+
+```bash
+cre workflow activate my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to activate... Name=my-workflow
+
+Processing activation for workflow ID ...
+✓ Workflow activated successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Owner:
+```
+
+### Pause
+
+```bash
+cre workflow pause my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to pause... Name=my-workflow
+
+Processing pause for workflow ID ...
+✓ Workflow paused successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Paused
+ Owner:
+```
+
+### Update
+
+Redeploy with the same workflow name to update a private registry workflow. The CLI replaces the existing registration:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI prompts you to confirm before overwriting the existing workflow. Pass `--yes` to skip the prompt.
+
+### Delete
+
+```bash
+cre workflow delete my-workflow --target staging-settings
+```
+
+The CLI fetches the workflow, displays its details, and prompts you to type the workflow name to confirm. This action is permanent.
+
+{/* prettier-ignore */}
+
+ Deleting a workflow from the private registry permanently removes it and cannot be undone. The workflow will no longer respond to triggers.
+
+
+## Secrets with the private registry
+
+Secrets for private registry workflows are authorized through a browser-based OAuth (PKCE) flow rather than your linked wallet key. Use the `--secrets-auth=browser` flag on any `cre secrets` command:
+
+```bash
+# Create secrets for a private registry workflow
+cre secrets create secrets.yaml --target staging-settings --secrets-auth=browser
+
+# Update secrets
+cre secrets update secrets.yaml --target staging-settings --secrets-auth=browser
+
+# List secrets
+cre secrets list --target staging-settings --secrets-auth=browser
+```
+
+When you pass `--secrets-auth=browser`, the CLI opens a browser window to authorize the operation against the Vault DON using your CRE login session. No wallet, no `workflow-owner-address`, and no gas are required.
+
+See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the full secrets guide.
+
+## HTTP triggers with the private registry
+
+If your private registry workflow uses an HTTP trigger, note that the gateway endpoint is different from the public registry:
+
+| Registry | HTTP trigger gateway URL |
+| ---------------- | ------------------------------------------------------ |
+| Public (onchain) | `https://01.gateway.zone-a.cre.chain.link` |
+| **Private** | `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
+
+Update your `GATEWAY_URL` (or equivalent configuration) wherever you send trigger requests — in local testing, CI scripts, or backend integrations — to use the enterprise gateway URL when targeting private registry workflows.
+
+See [Triggering Deployed Workflows](/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows) for the full HTTP trigger request format and authentication details.
+
+## CI/CD with the private registry
+
+Because the private registry does not require `CRE_ETH_PRIVATE_KEY` or an Ethereum Mainnet RPC, CI/CD pipelines are simpler. You only need `CRE_API_KEY`:
+
+```yaml
+# .github/workflows/deploy-private.yml
+name: Deploy to Private Registry
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --target staging-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+```
+
+{/* prettier-ignore */}
+
+ Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry) — Deploy with a linked wallet key and onchain record
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
+- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
diff --git a/src/content/cre/guides/operations/deploying-to-private-registry.mdx b/src/content/cre/guides/operations/deploying-to-private-registry-ts.mdx
similarity index 92%
rename from src/content/cre/guides/operations/deploying-to-private-registry.mdx
rename to src/content/cre/guides/operations/deploying-to-private-registry-ts.mdx
index 7af9678e485..b5a939e9412 100644
--- a/src/content/cre/guides/operations/deploying-to-private-registry.mdx
+++ b/src/content/cre/guides/operations/deploying-to-private-registry-ts.mdx
@@ -2,14 +2,21 @@
section: cre
date: Last Modified
title: "Deploying to the Private Registry"
+sdkLang: "ts"
+pageId: "operations-deploying-to-private-registry"
metadata:
description: "Deploy and manage CRE workflows using the Chainlink-hosted private registry — no linked wallet, no gas, and no Ethereum Mainnet RPC required for registry operations."
datePublished: "2026-05-06"
- lastModified: "2026-05-06"
+ lastModified: "2026-05-12"
---
import { Aside } from "@components"
+{/* prettier-ignore */}
+
+ This page covers deployment to the private registry for TypeScript workflows. For Go workflows, see [Deploying to the Private Registry (Go)](/cre/guides/operations/deploying-to-private-registry-go).
+
+
{/* prettier-ignore */}
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
@@ -32,7 +39,7 @@ Before deploying to the private registry, ensure you have:
- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output. If no private registry appears, contact your Chainlink account team. Organizations are limited to **3 private registry workflows** by default — see [Service Quotas](/cre/service-quotas#registry-quotas).
-- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup (TypeScript)](/cre/getting-started/part-1-project-setup-ts).
Unlike the public onchain registry, you do **not** need:
@@ -47,8 +54,6 @@ When you run `cre init`, the wizard prompts you to select a deployment registry
If you skipped the step, used `--non-interactive` without `--deployment-registry`, or are adding a new target to an existing project, add `deployment-registry: "private"` under the `user-workflow` section manually:
-**TypeScript:**
-
```yaml
# workflow.yaml
staging-settings:
@@ -61,20 +66,6 @@ staging-settings:
secrets-path: ""
```
-**Go:**
-
-```yaml
-# workflow.yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "private"
- workflow-artifacts:
- workflow-path: "."
- config-path: "./config.staging.json"
- secrets-path: ""
-```
-
{/* prettier-ignore */}
`deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
@@ -227,6 +218,19 @@ When you pass `--secrets-auth=browser`, the CLI opens a browser window to author
See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the full secrets guide.
+## HTTP triggers with the private registry
+
+If your private registry workflow uses an HTTP trigger, note that the gateway endpoint is different from the public registry:
+
+| Registry | HTTP trigger gateway URL |
+| ---------------- | ------------------------------------------------------ |
+| Public (onchain) | `https://01.gateway.zone-a.cre.chain.link` |
+| **Private** | `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
+
+Update your `GATEWAY_URL` (or equivalent configuration) wherever you send trigger requests — in local testing, CI scripts, or backend integrations — to use the enterprise gateway URL when targeting private registry workflows.
+
+See [Triggering Deployed Workflows](/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows) for the full HTTP trigger request format and authentication details.
+
## CI/CD with the private registry
Because the private registry does not require `CRE_ETH_PRIVATE_KEY` or an Ethereum Mainnet RPC, CI/CD pipelines are simpler. You only need `CRE_API_KEY`:
@@ -259,19 +263,6 @@ jobs:
Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
-## HTTP triggers with the private registry
-
-If your private registry workflow uses an HTTP trigger, note that the gateway endpoint is different from the public registry:
-
-| Registry | HTTP trigger gateway URL |
-| ----------------- | ------------------------------------------------------ |
-| Public (on-chain) | `https://01.gateway.zone-a.cre.chain.link` |
-| **Private** | `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
-
-Update your `GATEWAY_URL` (or equivalent configuration) wherever you send trigger requests (in local testing, CI scripts, or backend integrations) to use the enterprise gateway URL when targeting private registry workflows.
-
-See [Triggering Deployed Workflows](/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows) for the full HTTP trigger request format and authentication details.
-
## Next steps
- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 408a309f484..0530f7967fa 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -5955,3093 +5955,2990 @@ For step-by-step instructions, choose the guide for your target registry:
---
-# Deploying to the Private Registry
-Source: https://docs.chain.link/cre/guides/operations/deploying-to-private-registry
-Last Updated: 2026-05-06
-
-
- Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
-
-
-The **private registry** is a Chainlink-hosted, offchain workflow registry. All lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+# Activating & Pausing Workflows
+Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
+Last Updated: 2025-11-04
-This is the default registry for new projects initialized with `cre init`. For a comparison of both registry options, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
+After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the registry selected by `deployment-registry`, determining whether it can respond to triggers.
+**Workflow states:**
-
- The private registry is a private, centralized control plane for workflow management. **It does not make workflow execution confidential.** See [Private workflow](/cre/key-terms#private-workflow) in Key Terms for the distinction.
-
+- **Active** — The workflow can respond to its configured triggers and execute
+- **Paused** — The workflow cannot respond to triggers and will not execute
## Prerequisites
-Before deploying to the private registry, ensure you have:
+Before activating or pausing workflows, ensure you have:
-- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
-- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
-- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
-- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output. If no private registry appears, contact your Chainlink account team. Organizations are limited to **3 private registry workflows** by default — see [Service Quotas](/cre/service-quotas#registry-quotas).
-- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
+- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
+- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
+- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
-Unlike the public onchain registry, you do **not** need:
+## Activating a workflow
-- A linked wallet key (`cre account link-key`)
-- `CRE_ETH_PRIVATE_KEY` in your `.env` file
-- An Ethereum Mainnet RPC URL in `project.yaml`
-- ETH for gas
+The `cre workflow activate` command changes a paused workflow's status to active, allowing its triggers to fire and the workflow to execute.
-## Step 1: Set `deployment-registry` in your `workflow.yaml`
+### When to activate
-When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Private (off-chain) registries appear first with the cursor pre-selected on them. Selecting `private` writes `deployment-registry: "private"` into both targets of the generated `workflow.yaml` automatically — you can skip the manual step below.
+You typically use `activate` after pausing a workflow to resume execution after maintenance or debugging.
-If you skipped the step, used `--non-interactive` without `--deployment-registry`, or are adding a new target to an existing project, add `deployment-registry: "private"` under the `user-workflow` section manually:
+### Usage
-**TypeScript:**
+Run the command from your project root:
-```yaml
-# workflow.yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "private"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
- secrets-path: ""
+```bash
+cre workflow activate my-workflow --target production-settings
```
-**Go:**
-
-```yaml
-# workflow.yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "private"
- workflow-artifacts:
- workflow-path: "."
- config-path: "./config.staging.json"
- secrets-path: ""
-```
+The CLI identifies which workflow to activate based on:
+- `workflow-name` from your `workflow.yaml` file
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
-
- `deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
-
+### What happens during activation
-## Step 2: Deploy the workflow
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
+2. It validates that the workflow is currently paused
+3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-From your project root, run the deploy command with your target:
+### Example onchain registry output
```bash
-cre workflow deploy my-workflow --target staging-settings
-```
-
-The CLI compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with the private registry using your CRE login session. There is no transaction prompt.
-
-**Example output:**
+> cre workflow activate my-workflow --target production-settings
-```
-Deploying Workflow : my-workflow
-Target : staging-settings
-Owner Address :
+Activating Workflow : my-workflow
+Target : production-settings
+Owner Address :
-Compiling workflow...
-Workflow compiled successfully
+Activating workflow: Name=my-workflow, Owner=, WorkflowID=
+Transaction details:
+ Chain Name: ethereum-testnet-sepolia
+ To: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
+ Function: ActivateWorkflow
+ Inputs:
+ [0]:
+ [1]: zone-a
+ Data: 530979d6000000000000000000000000...
+Estimated Cost:
+ Gas Price: 0.00100000 gwei
+ Total Cost: 0.00000038 ETH
+? Do you want to execute this transaction?:
+ ▸ Yes
+ No
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.staging.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+✓ Transaction confirmed: 0xd5b94bd...87498b
+View on explorer: https://sepolia.etherscan.io/tx/0xd5b94bd...87498b
-Registering workflow in private registry (workflowID: )...
-✓ Workflow registered in private registry
+✓ Workflow activated successfully
Details:
- Registry: private
+ Registry: onchain:ethereum-mainnet
+ Contract address: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
+ Transaction hash: 0xd5b94bd...87498b
Workflow Name: my-workflow
Workflow ID:
- Status: Active
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
- Owner:
```
-The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
+## Pausing a workflow
-## Step 3: Verify the deployment
+The `cre workflow pause` command changes an active workflow's status to paused, preventing its triggers from firing and stopping execution.
-Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
+### When to pause
-```bash
-cre workflow list
-```
+Pause workflows when you need to:
-Workflows deployed to the private registry are tagged with the registry ID `private` in the list output. You can also filter to only show private registry workflows:
+- **Perform maintenance**: Temporarily stop execution while updating dependencies or configuration
+- **Debug issues**: Halt execution to investigate errors or unexpected behavior
+- **Temporarily halt operations**: Stop workflow execution without permanently deleting it
+
+### Usage
+
+Run the command from your project root:
```bash
-cre workflow list --registry private
+cre workflow pause my-workflow --target production-settings
```
-You can also view the workflow in the [CRE platform](https://app.chain.link/cre/discover) under **Workflows**.
-
-## Managing a private registry workflow
+### What happens during pausing
-All standard lifecycle commands work the same way for private registry workflows. The CLI routes the operation through the Chainlink-hosted registry automatically based on the `deployment-registry` value in your `workflow.yaml`.
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
+2. It validates that the workflow is currently active
+3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Activate
+### Example onchain registry output
```bash
-cre workflow activate my-workflow --target staging-settings
-```
+> cre workflow pause my-workflow --target production-settings
-**Example output:**
+Pausing Workflow : my-workflow
+Target : production-settings
+Owner Address :
-```
-Fetching workflow to activate... Name=my-workflow
+Fetching workflows to pause... Name=my-workflow, Owner=
+Processing batch pause... count=1
+Transaction details:
+ Chain Name: ethereum-testnet-sepolia
+ To: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
+ Function: BatchPauseWorkflows
+ Inputs:
+ [0]: []
+ Data: d8b80738000000000000000000000000...
+Estimated Cost:
+ Gas Price: 0.00100000 gwei
+ Total Cost: 0.00000021 ETH
+? Do you want to execute this transaction?:
+ ▸ Yes
+ No
-Processing activation for workflow ID ...
-✓ Workflow activated successfully
+✓ Transaction confirmed
+View on explorer: https://sepolia.etherscan.io/tx/0x2e09a66...db66e
+✓ Workflows paused successfully
Details:
- Registry: private
+ Registry: onchain:ethereum-mainnet
+ Contract address: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
+ Transaction hash: 0x2e09a66...db66e
Workflow Name: my-workflow
Workflow ID:
- Status: Active
- Owner:
```
-### Pause
-```bash
-cre workflow pause my-workflow --target staging-settings
-```
+
+ Triggers that would have fired while a workflow was paused are **not queued or retroactively executed**. When you activate the workflow again, it will only respond to new triggers that occur after activation.
+
-**Example output:**
+## Using multi-sig wallets
-```
-Fetching workflow to pause... Name=my-workflow
+For onchain registry workflows, both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
-Processing pause for workflow ID ...
-✓ Workflow paused successfully
+For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-Details:
- Registry: private
- Workflow Name: my-workflow
- Workflow ID:
- Status: Paused
- Owner:
-```
+## Learn more
-### Update
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Learn how to deploy workflows to the registry
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Update your workflow code and configuration
+- [Deleting Workflows](/cre/guides/operations/deleting-workflows) — Permanently remove workflows from the registry
+- [CLI Reference: Workflow Commands](/cre/reference/cli/workflow) — Complete command reference with all flags and options
-Redeploy with the same workflow name to update a private registry workflow. The CLI replaces the existing registration:
+---
-```bash
-cre workflow deploy my-workflow --target staging-settings
-```
+# Updating Deployed Workflows
+Source: https://docs.chain.link/cre/guides/operations/updating-deployed-workflows
+Last Updated: 2026-01-23
-The CLI prompts you to confirm before overwriting the existing workflow. Pass `--yes` to skip the prompt.
+When you update a deployed workflow, you redeploy it with the same workflow name and the same `deployment-registry` target. The new deployment replaces the previous version in that registry. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
-### Delete
-```bash
-cre workflow delete my-workflow --target staging-settings
-```
+
+ The workflow ID changes each time you update a workflow. This is because the workflow ID is a hash derived from the workflow binary and configuration. If your consumer contract uses the workflow ID for validation, make sure to update the expected workflow ID after each update. See [Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts#34-configuring-permissions) for details.
+
-The CLI fetches the workflow, displays its details, and prompts you to type the workflow name to confirm. This action is permanent.
+## Prerequisites
+Before updating a deployed workflow, ensure you have:
-
- Deleting a workflow from the private registry permanently removes it and cannot be undone. The workflow will no longer respond to triggers.
-
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
+- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
+- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
-## Secrets with the private registry
+## Updating a workflow
-Secrets for private registry workflows are authorized through a browser-based OAuth (PKCE) flow rather than your linked wallet key. Use the `--secrets-auth=browser` flag on any `cre secrets` command:
+To update a workflow, simply redeploy it using the same workflow name:
```bash
-# Create secrets for a private registry workflow
-cre secrets create secrets.yaml --target staging-settings --secrets-auth=browser
-
-# Update secrets
-cre secrets update secrets.yaml --target staging-settings --secrets-auth=browser
-
-# List secrets
-cre secrets list --target staging-settings --secrets-auth=browser
+cre workflow deploy my-workflow --target production-settings
```
-When you pass `--secrets-auth=browser`, the CLI opens a browser window to authorize the operation against the Vault DON using your CRE login session. No wallet, no `workflow-owner-address`, and no gas are required.
-
-See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the full secrets guide.
-
-## CI/CD with the private registry
-
-Because the private registry does not require `CRE_ETH_PRIVATE_KEY` or an Ethereum Mainnet RPC, CI/CD pipelines are simpler. You only need `CRE_API_KEY`:
-
-```yaml
-# .github/workflows/deploy-private.yml
-name: Deploy to Private Registry
-
-on:
- push:
- branches: [main]
+### What happens during an update
-jobs:
- deploy:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
+1. **Compilation**: Your updated workflow code is compiled to WASM
+2. **Upload**: The new binary and configuration files are uploaded to the CRE Storage Service
+3. **Registration**: The new workflow version is registered with the target's configured registry. For `onchain:ethereum-mainnet`, this sends a transaction to the Workflow Registry contract. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
+4. **Replacement**: The previous version is replaced with the new deployment
+5. **Status preserved**: The workflow's status (active or paused) is preserved from the previous deployment
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
- - name: Deploy workflow
- run: cre workflow deploy ./my-workflow --target staging-settings --yes --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
-```
+
+ When you update a workflow, the CLI matches the status of the previously deployed version. If your workflow was paused, the updated version will remain paused. If it was active, the updated version will be active and immediately start responding to triggers. To change the workflow status, see [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows).
+
-
- Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+ CRE does not currently maintain workflow version history. When you redeploy a workflow with the same name, it completely replaces the previous deployment. You cannot roll back to a previous version through the CLI.
-## HTTP triggers with the private registry
+## Best practices for updates
-If your private registry workflow uses an HTTP trigger, note that the gateway endpoint is different from the public registry:
+1. **Test locally first**: Always test your changes using `cre workflow simulate` before deploying to production
+2. **Pause before updating** (optional): If you want to ensure no triggers fire during the update, pause the workflow first using `cre workflow pause`
+3. **Monitor after deployment**: Check that the updated workflow executes correctly after deployment
+4. **Keep track of changes**: Maintain your own version control (e.g., Git tags) to track workflow versions
-| Registry | HTTP trigger gateway URL |
-| ----------------- | ------------------------------------------------------ |
-| Public (on-chain) | `https://01.gateway.zone-a.cre.chain.link` |
-| **Private** | `https://01.enterprise-gateway.zone-a.cre.chain.link/` |
+## Using multi-sig wallets
-Update your `GATEWAY_URL` (or equivalent configuration) wherever you send trigger requests (in local testing, CI scripts, or backend integrations) to use the enterprise gateway URL when targeting private registry workflows.
+For onchain registry workflows, the `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
-See [Triggering Deployed Workflows](/cre/guides/workflow/using-triggers/http-trigger/triggering-deployed-workflows) for the full HTTP trigger request format and authentication details.
+For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-## Next steps
+## Learn more
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
-- [Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry) — Deploy with a linked wallet key and onchain record
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Learn about the initial deployment process
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
-- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
-- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
+- [Deleting Workflows](/cre/guides/operations/deleting-workflows) — Remove workflows from the registry
---
-# Deploying to the Onchain Registry
-Source: https://docs.chain.link/cre/guides/operations/deploying-to-onchain-registry
-Last Updated: 2026-05-06
-
-
- Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
-
-
-The **public onchain registry** is the Workflow Registry contract on Ethereum Mainnet. Deploying to it records your workflow onchain — your linked wallet address becomes the workflow owner and every lifecycle operation (deploy, activate, pause, update, delete) submits a transaction to that contract.
+# Deleting Workflows
+Source: https://docs.chain.link/cre/guides/operations/deleting-workflows
+Last Updated: 2025-11-04
-For a lower-friction alternative that requires no wallet or gas for registry management, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
+Deleting a workflow permanently removes it from the registry selected by `deployment-registry`. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
## Prerequisites
-Before deploying to the onchain registry, ensure you have:
-
-- **Early Access approval**: Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
-- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **[Linked your key](/cre/organization/linking-keys)**: Linked your EOA or multi-sig wallet to your CRE organization by running `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys) for instructions.
-- **A funded wallet**: The account you are deploying from must hold ETH on Ethereum Mainnet to pay gas for the registration transaction.
-- **`CRE_ETH_PRIVATE_KEY` in your `.env`**: Your wallet's private key, used by the CLI to sign registry transactions.
-- **An Ethereum Mainnet RPC URL in `project.yaml`**: Required for the CLI to submit transactions. Example: `https://ethereum-rpc.publicnode.com`.
-- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
-
-## The deployment process
-
-The `cre workflow deploy` command handles the entire end-to-end process:
-
-1. **Compiles** your workflow to a WASM binary.
-2. **Uploads** the compiled binary and any associated configuration files to the CRE Storage Service.
-3. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on Ethereum Mainnet. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet`. The transaction contains the workflow's name, owner, and artifact URLs.
-
-
-
- Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
-
-
-### Step 1: Ensure your configuration is correct
-
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment.
-
-When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Selecting `onchain:ethereum-mainnet` writes `deployment-registry: "onchain:ethereum-mainnet"` into the generated `workflow.yaml` automatically. If you chose the onchain registry during init, your config is already set.
-
-If you initialized without selecting a registry, or are adding a new target, add `deployment-registry: "onchain:ethereum-mainnet"` explicitly. The field is optional — when omitted the CLI defaults to onchain — but setting it is recommended to make the intent clear.
-
-```yaml
-# workflow.yaml
-production-settings:
- user-workflow:
- workflow-name: "my-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet"
- workflow-artifacts:
- workflow-path: "./main.ts" # Go: "."
- config-path: "./config.production.json"
- secrets-path: ""
-```
-
-If you are deploying from a **multi-sig wallet**, specify your multi-sig address in the `workflow-owner-address` field. If deploying from a standard EOA, leave this field out — the owner is automatically derived from `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+Before deleting a workflow, ensure you have:
-For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
+- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
+- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
-### Step 2: Run the deploy command
+## Deleting a workflow
-**From your project root directory**, run the `deploy` command with the path to your workflow folder:
+To delete a workflow, run the `cre workflow delete` command from your project root:
```bash
-cre workflow deploy [flags]
+cre workflow delete my-workflow --target production-settings
```
-Example command targeting the `production-settings` environment:
+The CLI identifies which workflow to delete based on:
-```bash
-cre workflow deploy my-workflow --target production-settings
-```
+- `workflow-name` from your `workflow.yaml` file
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
-**Available flags:**
+### What happens during deletion
-| Flag | Description |
-| ---------------- | --------------------------------------------------------------------------------------- |
-| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
-| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
-| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
-| `--config` | Override the config file path from `workflow.yaml` |
-| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of broadcasting it (for multi-sig wallets) |
-| `--yes` | Skip confirmation prompts and proceed with the operation |
-| `--project-root` | Path to the project root directory |
-| `--env` | Path to your `.env` file (default: `".env"`) |
-| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
+1. The CLI fetches all workflows matching your workflow name and configured registry authorization
+2. It displays details about the workflow(s) to be deleted
+3. It prompts you to confirm by typing the workflow name
+4. Once confirmed, it deletes the workflow from the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Step 3: Monitor the output
-The CLI provides detailed logs of the compilation, upload, and the onchain registration transaction:
+
+ **This action cannot be undone.** Once a workflow is deleted from its configured registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
+
+
+### Example onchain registry output
```bash
-> cre workflow deploy my-workflow --target production-settings
+> cre workflow delete my-workflow --target production-settings
-Deploying Workflow : my-workflow
+Deleting Workflow : my-workflow
Target : production-settings
Owner Address :
-Compiling workflow...
-Workflow compiled successfully
-
-Verifying ownership...
-Workflow owner link status: owner=, linked=true
-Key ownership verified
+Found 1 workflow(s) to delete for name: my-workflow
+ 1. Workflow
+ ID: 00f0379a2df46ad2c5af070f5871da89f589f8bff8af76ff6a44bb59bec88bf4
+ Owner:
+ DON Family: zone-a
+ Tag: my-workflow
+ Binary URL: https://storage.cre.example.com/artifacts/00f0379a.../binary.wasm
+ Workflow Status: PAUSED
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+Are you sure you want to delete the workflow 'my-workflow'?
+This action cannot be undone.
-Preparing deployment transaction...
-Preparing transaction for workflowID:
+To confirm, type the workflow name: my-workflow: my-workflow
+Deleting 1 workflow(s)...
Transaction details:
- Chain Name: ethereum-mainnet
- To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Function: UpsertWorkflow
+ Chain Name: ethereum-testnet-sepolia
+ To: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
+ Function: DeleteWorkflow
Inputs:
- [0]: my-workflow
- [1]: my-workflow
- [2]:
- [3]: 0
- [4]: zone-a
- [5]: https://storage.cre.example.com/artifacts//binary.wasm
- [6]: https://storage.cre.example.com/artifacts//config
- [7]: 0x
- [8]: false
- Data: b377bfc50000000000000000000000000000000000...
+ [0]: 0x00f0379a2df46ad2c5af070f5871da89f589f8bff8af76ff6a44bb59bec88bf4
+ Data: 695e134000f0379a2df46ad2c5af070f5871da89f589f8bff8af76ff6a44bb59bec88bf4
Estimated Cost:
Gas Price: 0.00100001 gwei
- Total Cost: 0.00000079 ETH
+ Total Cost: 0.00000015 ETH
? Do you want to execute this transaction?:
▸ Yes
No
-Transaction confirmed
-View on explorer: https://etherscan.io/tx/0x58599f6...d916b
-
-✓ Workflow deployed successfully
-
-Details:
- Registry: onchain:ethereum-mainnet
- Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Transaction hash: 0x58599f6...d916b
- Workflow Name: my-workflow
- Workflow ID:
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
+✓ Transaction confirmed
+View on explorer: https://sepolia.etherscan.io/tx/0xf059c32...fec7d
+✓ Deleted workflow ID: 00f0379a2df46ad2c5af070f5871da89f589f8bff8af76ff6a44bb59bec88bf4
+✓ Workflows deleted successfully
```
-## Verifying your deployment
+### Skipping the confirmation prompt
-After a successful deployment, verify your workflow was registered correctly:
+If you want to skip the interactive confirmation prompt (e.g., in automated scripts), use the `--yes` flag:
-1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization and its current status.
+```bash
+cre workflow delete my-workflow --yes --target production-settings
+```
-2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see the workflow's status, ID, and execution history.
-3. **Block Explorer**: The CLI output includes the transaction hash. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+
+ The `--yes` flag bypasses the confirmation prompt and immediately deletes the workflow. Only use this flag in automated workflows or when you are absolutely certain you want to delete the workflow.
+
-## CI/CD pipeline integration
+## Using multi-sig wallets
-The `cre workflow build` and `cre workflow deploy` commands can run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
+For onchain registry workflows, the `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
-The separation gives you two key benefits:
+For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
-- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
+## Learn more
-### Example: GitHub Actions
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Deploy new workflows to the registry
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Update existing workflows
-The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
+---
-```yaml
-# .github/workflows/deploy.yml
-name: Deploy Workflow
+# Using Multi-sig Wallets
+Source: https://docs.chain.link/cre/guides/operations/using-multisig-wallets
+Last Updated: 2025-11-04
-on:
- push:
- branches: [main]
+This guide explains how to use multi-sig wallets with CRE CLI commands for deploying, activating, pausing, updating, and deleting workflows.
-jobs:
- build:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
+## How multi-sig works with CRE CLI
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+When managing workflows with a multi-sig wallet, the CRE CLI can generate raw transaction data that you submit through your multi-sig wallet interface. Instead of the CLI signing and sending the transaction directly, it prepares the transaction data for you to sign offline through your multi-sig wallet.
- - name: Build workflow
- run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+**The workflow:**
- - name: Display content hashes
- run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+1. Run a CRE CLI command with the `--unsigned` flag
+2. The CLI generates the raw transaction data
+3. You submit this data to your multi-sig wallet interface
+4. Signers approve the transaction
+5. Once enough signatures are collected, execute the transaction onchain
- - name: Upload artifact
- uses: actions/upload-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow/binary.wasm
+## Prerequisites
- deploy:
- needs: build
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
+Before using multi-sig wallets with CRE CLI commands, ensure you have:
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+### 1. Authenticated with the CLI
- - name: Download artifact
- uses: actions/download-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow
+You must be logged in to use any CRE CLI commands. Run `cre whoami` in your terminal to verify you're logged in, or run `cre login` to authenticate.
- - name: Deploy workflow
- run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
- INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
+See [Logging in with the CLI](/cre/account/cli-login) for detailed instructions.
+
+### 2. Configure your multi-sig address
+
+Add your multi-sig wallet address to your `project.yaml` or `workflow.yaml` under the target you're using:
+
+```yaml
+production-settings:
+ user-workflow:
+ workflow-owner-address: ""
+ workflow-name: "my-workflow"
```
-
- Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+ If you have both `project.yaml` and `workflow.yaml`, the CLI uses the value from `workflow.yaml` for that specific workflow. However, if `project.yaml` contains a placeholder value like `"(optional) Multi-signature contract address"`, you must replace it with your actual multi-sig address in `project.yaml` as well.
+### 3. Keep your private key in `.env`
-
- Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
-
+Even when using `--unsigned`, the CLI still requires `CRE_ETH_PRIVATE_KEY` in your `.env` file:
-## Using multi-sig wallets
+```bash
+CRE_ETH_PRIVATE_KEY=your-private-key-here
+```
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
-For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+ The `--unsigned` flag tells the CLI to **prepare** the transaction without **signing or sending** it. However, the CLI still needs to connect to the blockchain to read the current state (e.g., fetch workflow IDs, validate workflow status, prepare transaction data). This connection requires a private key for initialization, but the key is never used to sign the multi-sig transaction.
+
-## Next steps
+## Using the `--unsigned` flag
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
-- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows) — Track your workflow's execution and performance
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Deploy new versions of your workflow
-- [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets) — Multi-sig wallet setup and transaction signing
+Add the `--unsigned` flag to any workflow management command:
----
+- **Deploy**:
-# Activating & Pausing Workflows
-Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
-Last Updated: 2025-11-04
+ ```bash
+ cre workflow deploy my-workflow --unsigned --target production-settings
+ ```
-After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the registry selected by `deployment-registry`, determining whether it can respond to triggers.
+- **Activate**:
-**Workflow states:**
+ ```bash
+ cre workflow activate my-workflow --unsigned --target production-settings
+ ```
-- **Active** — The workflow can respond to its configured triggers and execute
-- **Paused** — The workflow cannot respond to triggers and will not execute
+- **Pause**:
-## Prerequisites
+ ```bash
+ cre workflow pause my-workflow --unsigned --target production-settings
+ ```
-Before activating or pausing workflows, ensure you have:
+- **Delete**:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the registry selected by `deployment-registry`.
-- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
-- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
-- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
-- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
+ ```bash
+ cre workflow delete my-workflow --unsigned --target production-settings
+ ```
-## Activating a workflow
+## Example output
-The `cre workflow activate` command changes a paused workflow's status to active, allowing its triggers to fire and the workflow to execute.
+When you run a command with `--unsigned`, the CLI generates transaction data instead of sending the transaction:
-### When to activate
+```bash
+> cre workflow activate my-workflow --unsigned --target production-settings
-You typically use `activate` after pausing a workflow to resume execution after maintenance or debugging.
+Activating Workflow : my-workflow
+Target : production-settings
+Owner Address :
-### Usage
+Activating workflow: Name=my-workflow, Owner=, WorkflowID=
+--unsigned flag detected: transaction not sent on-chain.
+Generating call data for offline signing and submission in your preferred tool:
-Run the command from your project root:
+MSIG workflow activation transaction prepared!
+To Activate my-workflow with workflowID:
-```bash
-cre workflow activate my-workflow --target production-settings
-```
+Next steps:
-The CLI identifies which workflow to activate based on:
+ 1. Submit the following transaction on the target chain:
+ Chain: ethereum-testnet-sepolia
+ Contract Address: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
-- `workflow-name` from your `workflow.yaml` file
-- `deployment-registry` from your `workflow.yaml` file
-- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
+ 2. Use the following transaction data:
-### What happens during activation
+ 530979d600f0379a2df46ad2c5af070f5871da89f589f8bff8af76ff6a44bb59bec88bf4000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000067a6f6e652d610000000000000000000000000000000000000000000000000000
+```
-1. The CLI fetches the workflow matching your workflow name and configured registry authorization
-2. It validates that the workflow is currently paused
-3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
+## Submitting the transaction to your multi-sig wallet
-### Example onchain registry output
+Once you have the transaction data, follow these steps:
-```bash
-> cre workflow activate my-workflow --target production-settings
+### 1. Open your multi-sig wallet interface
-Activating Workflow : my-workflow
-Target : production-settings
-Owner Address :
+Access your multi-sig wallet (e.g., Gnosis Safe) and navigate to the transaction creation page.
-Activating workflow: Name=my-workflow, Owner=, WorkflowID=
-Transaction details:
- Chain Name: ethereum-testnet-sepolia
- To: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
- Function: ActivateWorkflow
- Inputs:
- [0]:
- [1]: zone-a
- Data: 530979d6000000000000000000000000...
-Estimated Cost:
- Gas Price: 0.00100000 gwei
- Total Cost: 0.00000038 ETH
-? Do you want to execute this transaction?:
- ▸ Yes
- No
+### 2. Create a new transaction
-✓ Transaction confirmed: 0xd5b94bd...87498b
-View on explorer: https://sepolia.etherscan.io/tx/0xd5b94bd...87498b
+Enter the transaction details from the CLI output:
-✓ Workflow activated successfully
+- **To address**: Use the contract address from the output (e.g., `0xF3f93fc4dc177748E7557568b5354cB009e3818a`)
+- **Value**: `0` (no ETH is being sent)
+- **Data**: Paste the full transaction data from the CLI output
-Details:
- Registry: onchain:ethereum-mainnet
- Contract address: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
- Transaction hash: 0xd5b94bd...87498b
- Workflow Name: my-workflow
- Workflow ID:
-```
+### 3. Submit for signatures
-## Pausing a workflow
+Submit the transaction for approval. The transaction will require the configured number of signatures from your multi-sig signers.
-The `cre workflow pause` command changes an active workflow's status to paused, preventing its triggers from firing and stopping execution.
+### 4. Execute the transaction
-### When to pause
+Once enough signatures are collected, execute the transaction onchain. The multi-sig wallet will broadcast the signed transaction to the blockchain.
-Pause workflows when you need to:
+## Troubleshooting
-- **Perform maintenance**: Temporarily stop execution while updating dependencies or configuration
-- **Debug issues**: Halt execution to investigate errors or unexpected behavior
-- **Temporarily halt operations**: Stop workflow execution without permanently deleting it
+### Error: "WorkflowOwner must be a valid Ethereum address"
-### Usage
+This error occurs when:
-Run the command from your project root:
+- The `workflow-owner-address` is not set in your configuration
+- The `workflow-owner-address` contains a placeholder value like `"(optional) Multi-signature contract address"`
-```bash
-cre workflow pause my-workflow --target production-settings
+**Solution:** Update your `project.yaml` or `workflow.yaml` with your actual multi-sig address:
+
+```yaml
+production-settings:
+ user-workflow:
+ workflow-owner-address: "0x123..." # Your actual multi-sig address
```
-### What happens during pausing
+### Error: "failed to read keys: invalid length, need 256 bits"
-1. The CLI fetches the workflow matching your workflow name and configured registry authorization
-2. It validates that the workflow is currently active
-3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
+This error occurs when `CRE_ETH_PRIVATE_KEY` is missing or empty in your `.env` file.
-### Example onchain registry output
+**Solution:** Ensure your `.env` file contains a valid private key:
```bash
-> cre workflow pause my-workflow --target production-settings
+CRE_ETH_PRIVATE_KEY=0x1234567890abcdef...
+```
-Pausing Workflow : my-workflow
-Target : production-settings
-Owner Address :
+Remember, this key is only used for blockchain client initialization, not for signing the multi-sig transaction.
-Fetching workflows to pause... Name=my-workflow, Owner=
-Processing batch pause... count=1
-Transaction details:
- Chain Name: ethereum-testnet-sepolia
- To: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
- Function: BatchPauseWorkflows
- Inputs:
- [0]: []
- Data: d8b80738000000000000000000000000...
-Estimated Cost:
- Gas Price: 0.00100000 gwei
- Total Cost: 0.00000021 ETH
-? Do you want to execute this transaction?:
- ▸ Yes
- No
-
-✓ Transaction confirmed
-View on explorer: https://sepolia.etherscan.io/tx/0x2e09a66...db66e
-✓ Workflows paused successfully
-
-Details:
- Registry: onchain:ethereum-mainnet
- Contract address: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
- Transaction hash: 0x2e09a66...db66e
- Workflow Name: my-workflow
- Workflow ID:
-```
+## Learn more
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Deploy workflows to the registry
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Update workflow code and configuration
+- [Deleting Workflows](/cre/guides/operations/deleting-workflows) — Remove workflows from the registry
-
- Triggers that would have fired while a workflow was paused are **not queued or retroactively executed**. When you activate the workflow again, it will only respond to new triggers that occur after activation.
-
+---
-## Using multi-sig wallets
+# Monitoring & Debugging Workflows
+Source: https://docs.chain.link/cre/guides/operations/monitoring-workflows
+Last Updated: 2025-11-04
-For onchain registry workflows, both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
+After deploying a workflow, you can monitor its execution history, performance metrics, and logs through the CRE web interface. This guide walks you through the monitoring dashboard and debugging tools available for your deployed workflows.
-For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+## Prerequisites
-## Learn more
+- **Deployed workflow**: You must have at least one workflow deployed to your organization. See [Deploying Workflows](/cre/guides/operations/deploying-workflows) for instructions.
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Learn how to deploy workflows to the registry
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Update your workflow code and configuration
-- [Deleting Workflows](/cre/guides/operations/deleting-workflows) — Permanently remove workflows from the registry
-- [CLI Reference: Workflow Commands](/cre/reference/cli/workflow) — Complete command reference with all flags and options
+## Accessing the workflows dashboard
----
+1. **Log in to the CRE UI** at app.chain.link/cre/discover
-# Updating Deployed Workflows
-Source: https://docs.chain.link/cre/guides/operations/updating-deployed-workflows
-Last Updated: 2026-01-23
+2. **Navigate to the Workflows section** by clicking **Workflows** in the left sidebar, or visit app.chain.link/cre/workflows directly
-When you update a deployed workflow, you redeploy it with the same workflow name and the same `deployment-registry` target. The new deployment replaces the previous version in that registry. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
+The Workflows dashboard displays three main sections:
+- **Recent executions**: Shows the most recent workflow runs across all your workflows
+- **Activity chart**: Visualizes successful and unsuccessful executions over the selected time period
+- **All workflows table**: Lists all deployed workflows with their status and execution history
-
- The workflow ID changes each time you update a workflow. This is because the workflow ID is a hash derived from the workflow binary and configuration. If your consumer contract uses the workflow ID for validation, make sure to update the expected workflow ID after each update. See [Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts#34-configuring-permissions) for details.
-
+## Understanding the workflows dashboard
-## Prerequisites
+### Recent executions
-Before updating a deployed workflow, ensure you have:
+The top section displays the most recent workflow executions across your organization:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the registry selected by `deployment-registry`.
-- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
-- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
-- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
-- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
+- **Execution ID**: A unique identifier for each workflow run (shortened for display)
+- **Workflow name**: The name of the workflow that executed
+- **Status**: Success or Failure indicator
+- **Timestamp**: When the execution occurred
-## Updating a workflow
+Click on any execution ID to view detailed logs and events for that specific run.
-To update a workflow, simply redeploy it using the same workflow name:
+### Activity chart
-```bash
-cre workflow deploy my-workflow --target production-settings
-```
+The performance chart shows execution trends over the selected time period:
-### What happens during an update
+- **Green bars**: Successful executions
+- **Red bars**: Unsuccessful executions
+- **Height**: Total number of executions for that day
-1. **Compilation**: Your updated workflow code is compiled to WASM
-2. **Upload**: The new binary and configuration files are uploaded to the CRE Storage Service
-3. **Registration**: The new workflow version is registered with the target's configured registry. For `onchain:ethereum-mainnet`, this sends a transaction to the Workflow Registry contract. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-4. **Replacement**: The previous version is replaced with the new deployment
-5. **Status preserved**: The workflow's status (active or paused) is preserved from the previous deployment
+Use the dropdown menu to adjust the time range.
+### All workflows table
-
- When you update a workflow, the CLI matches the status of the previously deployed version. If your workflow was paused, the updated version will remain paused. If it was active, the updated version will be active and immediately start responding to triggers. To change the workflow status, see [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows).
-
+The main table displays all workflows in your organization:
+| Column | Description |
+| -------------------------------- | --------------------------------------------------------------------------------------------------- |
+| **Name** | The workflow name as defined in your `workflow.yaml` |
+| **Status** | Current workflow state: `Pending` (active and ready to execute) |
+| **Last Execution** | Timestamp of the most recent execution, or `N/A` if not yet triggered |
+| **Execution Results (last 24h)** | Visual bar showing successful (green) vs. failed (red) executions in the past 24 hours, with counts |
-
- CRE does not currently maintain workflow version history. When you redeploy a workflow with the same name, it completely replaces the previous deployment. You cannot roll back to a previous version through the CLI.
-
+Click on any workflow row to view its detailed performance and execution history.
-## Best practices for updates
+## Viewing workflow details
-1. **Test locally first**: Always test your changes using `cre workflow simulate` before deploying to production
-2. **Pause before updating** (optional): If you want to ensure no triggers fire during the update, pause the workflow first using `cre workflow pause`
-3. **Monitor after deployment**: Check that the updated workflow executes correctly after deployment
-4. **Keep track of changes**: Maintain your own version control (e.g., Git tags) to track workflow versions
+When you click on a workflow, you'll see a dedicated page with comprehensive monitoring data.
-## Using multi-sig wallets
+### Performance section
-For onchain registry workflows, the `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
+The Performance chart shows execution trends for this specific workflow over the selected time period. This helps you identify patterns, track reliability, and spot anomalies.
-For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+### Overview section
-## Learn more
+The Overview panel displays key workflow metadata:
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Learn about the initial deployment process
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
-- [Deleting Workflows](/cre/guides/operations/deleting-workflows) — Remove workflows from the registry
+| Field | Description |
+| ------------------------ | ----------------------------------------------------------------------------------------------- |
+| **Status** | Current workflow state (e.g., `PENDING`, `PAUSED`) |
+| **Workflow ID** | Unique identifier in the Workflow Registry (truncated, click to copy full ID) |
+| **Workflow Owner** | The wallet address that deployed and owns this workflow (truncated, click to copy full address) |
+| **Total Runs** | Cumulative number of executions since deployment |
+| **Registered On** | Timestamp when the workflow was first deployed |
+| **Total Workflow Spend** | Cumulative credits consumed by all executions |
----
+### Execution history
-# Deleting Workflows
-Source: https://docs.chain.link/cre/guides/operations/deleting-workflows
-Last Updated: 2025-11-04
+The **Execution** tab shows a detailed table of all workflow runs:
-Deleting a workflow permanently removes it from the registry selected by `deployment-registry`. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
+| Column | Description |
+| ------------------ | ----------------------------------------------------------------------------------- |
+| **Execution ID** | Unique identifier for this specific run (click to view details) |
+| **Workflow ID** | The workflow that executed (useful if viewing executions across multiple workflows) |
+| **Status** | Execution result: Success, Failure, or In Progress |
+| **Time Triggered** | When the workflow execution started |
+| **Credits Used** | Cost of this execution in CRE credits |
-## Prerequisites
+Use the **ALL** dropdown filter to view all executions, only successful ones, or only failures.
-Before deleting a workflow, ensure you have:
+
+ To quickly identify failures, use the filter dropdown to show only failed executions. This helps you focus on
+ debugging problematic runs.
+
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the registry selected by `deployment-registry`.
-- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
-- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
-- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
-- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
+### Deployments tab
-## Deleting a workflow
+The **Deployments** tab shows the history of workflow deployments and updates.
-To delete a workflow, run the `cre workflow delete` command from your project root:
+## Debugging individual executions
-```bash
-cre workflow delete my-workflow --target production-settings
-```
+Click on any **Execution ID** to view detailed debugging information for that specific run.
-The CLI identifies which workflow to delete based on:
+### Events tab
-- `workflow-name` from your `workflow.yaml` file
-- `deployment-registry` from your `workflow.yaml` file
-- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
+The **Events** tab displays the events triggered by this execution in sequential order:
-### What happens during deletion
+- **Event**: The type of event (e.g., `trigger`, `evm:ChainSelector`, `consensus`, etc.)
+- **Status**: Whether the event succeeded, failed, or is in progress (`Success`, `Failure`, `In progress`)
+- **Time Triggered**: When the event occurred
-1. The CLI fetches all workflows matching your workflow name and configured registry authorization
-2. It displays details about the workflow(s) to be deleted
-3. It prompts you to confirm by typing the workflow name
-4. Once confirmed, it deletes the workflow from the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
+**What you'll see:**
+- Trigger activation
+- Capability execution steps (HTTP requests, EVM calls, etc.)
+- Consensus operations
-
- **This action cannot be undone.** Once a workflow is deleted from its configured registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
+
+ The Events tab shows system-level events only. To see your custom log messages (e.g., `runtime.log()` in TypeScript or
+ `logger.Info()` in Go), switch to the **Logs** tab.
-### Example onchain registry output
-
-```bash
-> cre workflow delete my-workflow --target production-settings
-
-Deleting Workflow : my-workflow
-Target : production-settings
-Owner Address :
+### Logs tab
-Found 1 workflow(s) to delete for name: my-workflow
- 1. Workflow
- ID: 00f0379a2df46ad2c5af070f5871da89f589f8bff8af76ff6a44bb59bec88bf4
- Owner:
- DON Family: zone-a
- Tag: my-workflow
- Binary URL: https://storage.cre.example.com/artifacts/00f0379a.../binary.wasm
- Workflow Status: PAUSED
+The **Logs** tab shows only user-emitted logs from your workflow code:
-Are you sure you want to delete the workflow 'my-workflow'?
-This action cannot be undone.
+- Each log entry displays a timestamp, log level (e.g., `INFO`), and your custom message
+- This is where you'll see output from `runtime.log()` (TypeScript) or `logger.Info()` (Go)
+- System messages and internal events are excluded for clarity
+- Logs appear in chronological order, showing the complete execution flow of your workflow
-To confirm, type the workflow name: my-workflow: my-workflow
-Deleting 1 workflow(s)...
-Transaction details:
- Chain Name: ethereum-testnet-sepolia
- To: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
- Function: DeleteWorkflow
- Inputs:
- [0]: 0x00f0379a2df46ad2c5af070f5871da89f589f8bff8af76ff6a44bb59bec88bf4
- Data: 695e134000f0379a2df46ad2c5af070f5871da89f589f8bff8af76ff6a44bb59bec88bf4
-Estimated Cost:
- Gas Price: 0.00100001 gwei
- Total Cost: 0.00000015 ETH
-? Do you want to execute this transaction?:
- ▸ Yes
- No
+**Example log output:**
-✓ Transaction confirmed
-View on explorer: https://sepolia.etherscan.io/tx/0xf059c32...fec7d
-✓ Deleted workflow ID: 00f0379a2df46ad2c5af070f5871da89f589f8bff8af76ff6a44bb59bec88bf4
-✓ Workflows deleted successfully
+```
+time=2025-10-26T13:19:57.055Z level=INFO msg="Successfully fetched offchain value" result=4
+time=2025-10-26T13:19:57.055Z level=INFO msg="Successfully read onchain value" result=22
+time=2025-10-26T13:19:57.055Z level=INFO msg="Final calculated result" result=26
+time=2025-10-26T13:19:57.055Z level=INFO msg="Updating calculator result" consumerAddress=0x00307d6d1f88...
+time=2025-10-26T13:19:57.055Z level=INFO msg="Writing report to consumer contract" offchainValue=4 onchainValue=22
+time=2025-10-26T13:19:57.055Z level=INFO msg="Waiting for write report response"
```
-### Skipping the confirmation prompt
+
+ Use `runtime.log()` (TypeScript) or `logger.Info()` (Go) liberally in your workflow code during development. These
+ logs appear in the Logs tab and are invaluable for debugging execution flow and inspecting variable values.
+
-If you want to skip the interactive confirmation prompt (e.g., in automated scripts), use the `--yes` flag:
+## Monitoring best practices
-```bash
-cre workflow delete my-workflow --yes --target production-settings
-```
+1. **Check the dashboard regularly**: Review the Activity chart to spot trends in failures or performance degradation
+2. **Investigate failures immediately**: When you see red bars in the chart or failed executions, click through to view logs and identify the root cause
-
- The `--yes` flag bypasses the confirmation prompt and immediately deletes the workflow. Only use this flag in automated workflows or when you are absolutely certain you want to delete the workflow.
-
+3. **Use descriptive log messages**: Include context in your log statements to make debugging easier:
-## Using multi-sig wallets
+ ```typescript
+ // TypeScript
+ runtime.log(`Successfully fetched offchain value: ${offchainValue}`)
+ runtime.log(`Final calculated result: ${finalResult}`)
+ ```
-For onchain registry workflows, the `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
+ ```go
+ // Go
+ logger.Info("Successfully fetched offchain value", "result", offchainValue)
+ logger.Info("Final calculated result", "result", finalResult)
+ ```
-For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+4. **Monitor execution frequency**: If a cron-triggered workflow shows fewer executions than expected, verify your cron schedule and workflow status
-## Learn more
+5. **Track credit usage**: Monitor the Total Workflow Spend to understand your workflow's cost over time
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Deploy new workflows to the registry
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Update existing workflows
+## Common debugging scenarios
----
+### Workflow not executing
-# Using Multi-sig Wallets
-Source: https://docs.chain.link/cre/guides/operations/using-multisig-wallets
-Last Updated: 2025-11-04
+**Symptoms:** No recent executions in the dashboard
-This guide explains how to use multi-sig wallets with CRE CLI commands for deploying, activating, pausing, updating, and deleting workflows.
+**Possible causes:**
-## How multi-sig works with CRE CLI
+- Workflow is paused (check the Status field)
+- Trigger is not firing (e.g., invalid cron schedule, no matching onchain events)
+- Workflow was recently deployed and hasn't been triggered yet
-When managing workflows with a multi-sig wallet, the CRE CLI can generate raw transaction data that you submit through your multi-sig wallet interface. Instead of the CLI signing and sending the transaction directly, it prepares the transaction data for you to sign offline through your multi-sig wallet.
+**Resolution:**
-**The workflow:**
+- Verify the workflow Status is `PENDING` (active)
+- Check your trigger configuration in the code
+- Use [Workflow Simulation](/cre/guides/operations/simulating-workflows) to test locally
-1. Run a CRE CLI command with the `--unsigned` flag
-2. The CLI generates the raw transaction data
-3. You submit this data to your multi-sig wallet interface
-4. Signers approve the transaction
-5. Once enough signatures are collected, execute the transaction onchain
+***
-## Prerequisites
+### Execution failures
-Before using multi-sig wallets with CRE CLI commands, ensure you have:
+**Symptoms:** Red bars in Activity chart, failed executions in table
-### 1. Authenticated with the CLI
+**Possible causes:**
-You must be logged in to use any CRE CLI commands. Run `cre whoami` in your terminal to verify you're logged in, or run `cre login` to authenticate.
+- API request failures (HTTP errors, timeouts)
+- Onchain reverts (contract calls failing)
+- Invalid configuration or missing secrets
+- Logic errors in workflow code
-See [Logging in with the CLI](/cre/account/cli-login) for detailed instructions.
+**Resolution:**
-### 2. Configure your multi-sig address
+1. Click on the failed Execution ID
+2. Check the **Events** tab to see which step failed
+3. Review the **Logs** tab for error messages from your code
+4. Fix the issue in your code and [update the workflow](/cre/guides/operations/updating-deployed-workflows)
-Add your multi-sig wallet address to your `project.yaml` or `workflow.yaml` under the target you're using:
+## Related guides
-```yaml
-production-settings:
- user-workflow:
- workflow-owner-address: ""
- workflow-name: "my-workflow"
-```
+- **[Deploying Workflows](/cre/guides/operations/deploying-workflows)** - Deploy your first workflow
+- **[Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows)** - Control workflow execution
+- **[Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows)** - Fix issues and deploy updates
+- **[Simulating Workflows](/cre/guides/operations/simulating-workflows)** - Test workflows locally before deploying
+---
-
- If you have both `project.yaml` and `workflow.yaml`, the CLI uses the value from `workflow.yaml` for that specific workflow. However, if `project.yaml` contains a placeholder value like `"(optional) Multi-signature contract address"`, you must replace it with your actual multi-sig address in `project.yaml` as well.
-
+# Custom WASM Builds
+Source: https://docs.chain.link/cre/guides/operations/custom-build
+Last Updated: 2026-02-26
-### 3. Keep your private key in `.env`
+By default, `cre workflow deploy` and `cre workflow simulate` compile your Go or TypeScript source to a WASM binary automatically — no build configuration required. This works for most workflows.
-Even when using `--unsigned`, the CLI still requires `CRE_ETH_PRIVATE_KEY` in your `.env` file:
+`cre workflow custom-build` is an opt-in feature for advanced users who need to own the build step. Once converted, the CLI delegates compilation to a `Makefile` in your workflow directory instead of compiling your source itself.
-```bash
-CRE_ETH_PRIVATE_KEY=your-private-key-here
-```
+## When to use custom WASM builds
-
- The `--unsigned` flag tells the CLI to **prepare** the transaction without **signing or sending** it. However, the CLI still needs to connect to the blockchain to read the current state (e.g., fetch workflow IDs, validate workflow status, prepare transaction data). This connection requires a private key for initialization, but the key is never used to sign the multi-sig transaction.
+
+ Automatic builds are the default and work for the vast majority of workflows. Use custom builds only when you have a specific reason to take control of the compilation step.
-## Using the `--unsigned` flag
-
-Add the `--unsigned` flag to any workflow management command:
-
-- **Deploy**:
-
- ```bash
- cre workflow deploy my-workflow --unsigned --target production-settings
- ```
+Generally, you should consider using custom WASM builds only when you have a specific reason to take control of the compilation step. Custom workflows are particularly useful for teams that need to use a custom compiler version or toolchain that differs from the CRE default compiler.
-- **Activate**:
+Common reasons to use custom WASM builds:
- ```bash
- cre workflow activate my-workflow --unsigned --target production-settings
- ```
+- **Custom compiler flags or build tags**: Add optimization flags, conditional compilation tags, or other build-time settings not exposed by the CLI's built-in compiler
+- **CI/CD pipelines**: Build the WASM artifact once in your pipeline and promote it across environments without recompiling
+- **Pre-build validation**: Add linting, type checking, formatting, or security scanning steps before compilation
+- **Non-standard toolchains**: Use a custom compiler version or toolchain that differs from the CLI default
+- **Language and SDK extensions**: Integrate code from other languages or custom SDKs into your build pipeline
-- **Pause**:
+## Convert a workflow to custom build
- ```bash
- cre workflow pause my-workflow --unsigned --target production-settings
- ```
+Run the following command from your project root:
-- **Delete**:
+```bash
+cre workflow custom-build ./my-workflow
+```
- ```bash
- cre workflow delete my-workflow --unsigned --target production-settings
- ```
+You will be prompted to confirm before any changes are made. To skip the prompt, use `--force`.
-## Example output
-When you run a command with `--unsigned`, the CLI generates transaction data instead of sending the transaction:
+
+ This modifies your `workflow.yaml`, updating `workflow-path` to `./wasm/workflow.wasm` for all targets (e.g. `staging-settings`, `production-settings`). After conversion, the CLI no longer compiles your source automatically. Your `Makefile` is responsible for producing the binary.
-```bash
-> cre workflow activate my-workflow --unsigned --target production-settings
+ There is no automated way to reverse this with the CLI, but you can do it manually:
-Activating Workflow : my-workflow
-Target : production-settings
-Owner Address :
+ 1. Edit `my-workflow/workflow.yaml`: change `workflow-path` back from `"./wasm/workflow.wasm"` to `"."` in each target
+ 2. Delete `my-workflow/Makefile` and the `my-workflow/wasm/` directory
+
-Activating workflow: Name=my-workflow, Owner=, WorkflowID=
---unsigned flag detected: transaction not sent on-chain.
-Generating call data for offline signing and submission in your preferred tool:
+The following changes are made to your workflow:
-MSIG workflow activation transaction prepared!
-To Activate my-workflow with workflowID:
+- Updates `workflow-path` to `./wasm/workflow.wasm` in your `workflow.yaml` for all targets
+- Creates a `Makefile` in your workflow directory with a `build` target
+- Creates a `wasm/` output directory
-Next steps:
+## Build and simulate
- 1. Submit the following transaction on the target chain:
- Chain: ethereum-testnet-sepolia
- Contract Address: 0xF3f93fc4dc177748E7557568b5354cB009e3818a
+After conversion, install dependencies (TypeScript only), then build and simulate:
- 2. Use the following transaction data:
+```bash
+# TypeScript only
+bun install
- 530979d600f0379a2df46ad2c5af070f5871da89f589f8bff8af76ff6a44bb59bec88bf4000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000067a6f6e652d610000000000000000000000000000000000000000000000000000
+make build
+cre workflow simulate ./my-workflow --target staging-settings
```
-## Submitting the transaction to your multi-sig wallet
+The CLI picks up the compiled binary at `wasm/workflow.wasm` automatically.
-Once you have the transaction data, follow these steps:
+## Try it yourself
-### 1. Open your multi-sig wallet interface
+Walk through the full custom build flow end to end using a hello-world project.
-Access your multi-sig wallet (e.g., Gnosis Safe) and navigate to the transaction creation page.
+**1. Convert your workflow to a custom build:** Run the following command from your project root:
-### 2. Create a new transaction
+```bash
+cre workflow custom-build ./my-workflow
+```
-Enter the transaction details from the CLI output:
+**2. Open the generated `Makefile`:** In the `my-workflow` directory, you'll see a new `Makefile` with a `build` target.
-- **To address**: Use the contract address from the output (e.g., `0xF3f93fc4dc177748E7557568b5354cB009e3818a`)
-- **Value**: `0` (no ETH is being sent)
-- **Data**: Paste the full transaction data from the CLI output
+Code snippet for my-workflow/Makefile:
-### 3. Submit for signatures
+```bash
+.PHONY: build
-Submit the transaction for approval. The transaction will require the configured number of signatures from your multi-sig signers.
+build:
+ bun cre-compile main.ts wasm/workflow.wasm
+```
-### 4. Execute the transaction
+Install dependencies and run the initial build:
-Once enough signatures are collected, execute the transaction onchain. The multi-sig wallet will broadcast the signed transaction to the blockchain.
+```bash
+# TypeScript only
+bun install
-## Troubleshooting
+make build
+cre workflow simulate ./my-workflow --target staging-settings
+```
-### Error: "WorkflowOwner must be a valid Ethereum address"
+For a hello-world workflow you'll see output like `"Hello world!"`.
-This error occurs when:
+**3. Add a custom step to your `Makefile`** (highlighted line shows what to add):
-- The `workflow-owner-address` is not set in your configuration
-- The `workflow-owner-address` contains a placeholder value like `"(optional) Multi-signature contract address"`
+Code snippet for my-workflow/Makefile:
-**Solution:** Update your `project.yaml` or `workflow.yaml` with your actual multi-sig address:
+```bash
+.PHONY: build
-```yaml
-production-settings:
- user-workflow:
- workflow-owner-address: "0x123..." # Your actual multi-sig address
+build:
+ echo "Running my custom build step..." # highlight-line
+ bun cre-compile main.ts wasm/workflow.wasm
```
-### Error: "failed to read keys: invalid length, need 256 bits"
-
-This error occurs when `CRE_ETH_PRIVATE_KEY` is missing or empty in your `.env` file.
-
-**Solution:** Ensure your `.env` file contains a valid private key:
+**4. Rebuild and simulate again:** Run the following commands from your project root:
```bash
-CRE_ETH_PRIVATE_KEY=0x1234567890abcdef...
+make build
+cre workflow simulate ./my-workflow --target staging-settings
```
-Remember, this key is only used for blockchain client initialization, not for signing the multi-sig transaction.
+When `make build` runs you'll see `Running my custom build step...` printed before compilation.
-## Learn more
+Swap the `echo` for any real step: type checking, linting, code generation, or a custom compiler invocation.
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Deploy workflows to the registry
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Update workflow code and configuration
-- [Deleting Workflows](/cre/guides/operations/deleting-workflows) — Remove workflows from the registry
+## Generated Makefile
----
+The generated `Makefile` is ready to use. The only requirement is that `make build` produces `wasm/workflow.wasm`.
-# Monitoring & Debugging Workflows
-Source: https://docs.chain.link/cre/guides/operations/monitoring-workflows
-Last Updated: 2025-11-04
+**Go:**
-After deploying a workflow, you can monitor its execution history, performance metrics, and logs through the CRE web interface. This guide walks you through the monitoring dashboard and debugging tools available for your deployed workflows.
+```makefile
+.PHONY: build
-## Prerequisites
+build:
+ GOOS=wasip1 GOARCH=wasm CGO_ENABLED=0 go build -o wasm/workflow.wasm -trimpath -ldflags="-buildid= -w -s" .
+```
-- **Deployed workflow**: You must have at least one workflow deployed to your organization. See [Deploying Workflows](/cre/guides/operations/deploying-workflows) for instructions.
+**TypeScript:**
-## Accessing the workflows dashboard
+```makefile
+.PHONY: build
-1. **Log in to the CRE UI** at app.chain.link/cre/discover
+build:
+ bun cre-compile main.ts wasm/workflow.wasm
+```
-2. **Navigate to the Workflows section** by clicking **Workflows** in the left sidebar, or visit app.chain.link/cre/workflows directly
+## Customizing the Makefile
-The Workflows dashboard displays three main sections:
+Edit the generated `Makefile` to add any steps your build requires.
-- **Recent executions**: Shows the most recent workflow runs across all your workflows
-- **Activity chart**: Visualizes successful and unsuccessful executions over the selected time period
-- **All workflows table**: Lists all deployed workflows with their status and execution history
+**Example: Go with build tags:**
-## Understanding the workflows dashboard
+```makefile
+.PHONY: build
-### Recent executions
+build:
+ GOOS=wasip1 GOARCH=wasm CGO_ENABLED=0 go build -tags mytag -o wasm/workflow.wasm -trimpath -ldflags="-buildid= -w -s" .
+```
-The top section displays the most recent workflow executions across your organization:
+**Example: TypeScript with type checking, linting, and formatting:**
-- **Execution ID**: A unique identifier for each workflow run (shortened for display)
-- **Workflow name**: The name of the workflow that executed
-- **Status**: Success or Failure indicator
-- **Timestamp**: When the execution occurred
+```makefile
+.PHONY: build format lint typecheck
-Click on any execution ID to view detailed logs and events for that specific run.
+format:
+ bun run format
+lint: format
+ bun run lint
+typecheck: lint
+ bun run typecheck
-### Activity chart
+build: typecheck
+ bun cre-compile main.ts wasm/workflow.wasm
+```
-The performance chart shows execution trends over the selected time period:
+## Learn more
-- **Green bars**: Successful executions
-- **Red bars**: Unsuccessful executions
-- **Height**: Total number of executions for that day
+- [`cre workflow custom-build` reference](/cre/reference/cli/workflow#cre-workflow-custom-build): Command flags and usage
+- [Simulating Workflows](/cre/guides/operations/simulating-workflows): Testing your workflow locally
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows): Deploying to the Workflow Registry
-Use the dropdown menu to adjust the time range.
+---
-### All workflows table
+# Account
+Source: https://docs.chain.link/cre/account
+Last Updated: 2026-02-12
-The main table displays all workflows in your organization:
+Your CRE account is required to use the CRE CLI. You must be authenticated to run CLI commands, including simulating workflows, deploying workflows, and managing deployed workflows. You can authenticate using the browser-based `cre login` flow or an [API key](/cre/reference/cli/authentication#api-key-authentication) for CI/CD and headless environments(\*). This section covers everything you need to know about creating and managing your account.
-| Column | Description |
-| -------------------------------- | --------------------------------------------------------------------------------------------------- |
-| **Name** | The workflow name as defined in your `workflow.yaml` |
-| **Status** | Current workflow state: `Pending` (active and ready to execute) |
-| **Last Execution** | Timestamp of the most recent execution, or `N/A` if not yet triggered |
-| **Execution Results (last 24h)** | Visual bar showing successful (green) vs. failed (red) executions in the past 24 hours, with counts |
+(\*) API key authentication requires your account to have Early Access approval.
-Click on any workflow row to view its detailed performance and execution history.
+## What you'll need
-## Viewing workflow details
+To use CRE, you need:
-When you click on a workflow, you'll see a dedicated page with comprehensive monitoring data.
+1. **A CRE account** - Created through the web interface at app.chain.link/cre/discover (to create a new organization) or via an invitation link from an organization Owner (to join an existing organization)
+2. **Two-factor authentication** - Set up during account creation for security
+3. **CLI authentication** - Connect your CLI to your account using `cre login` or an [API key](/cre/reference/cli/authentication#api-key-authentication)
-### Performance section
+## Account guides
-The Performance chart shows execution trends for this specific workflow over the selected time period. This helps you identify patterns, track reliability, and spot anomalies.
+- **[Creating Your Account](/cre/account/creating-account)** - Step-by-step guide to creating a new CRE account through the CRE UI
+- **[Logging in with the CLI](/cre/account/cli-login)** - Authenticate your CLI with your CRE account to run commands
+- **[Managing Authentication](/cre/account/managing-auth)** - Check your login status, handle session expiration, and log out
+- **[Requesting Deploy Access](/cre/account/deploy-access)** - Check your deployment access status or submit a request for Early Access
-### Overview section
+## Security features
-The Overview panel displays key workflow metadata:
+Your CRE account includes several security features:
-| Field | Description |
-| ------------------------ | ----------------------------------------------------------------------------------------------- |
-| **Status** | Current workflow state (e.g., `PENDING`, `PAUSED`) |
-| **Workflow ID** | Unique identifier in the Workflow Registry (truncated, click to copy full ID) |
-| **Workflow Owner** | The wallet address that deployed and owns this workflow (truncated, click to copy full address) |
-| **Total Runs** | Cumulative number of executions since deployment |
-| **Registered On** | Timestamp when the workflow was first deployed |
-| **Total Workflow Spend** | Cumulative credits consumed by all executions |
+- **Two-factor authentication (2FA)** - Required during login for an additional layer of security
+- **Recovery codes** - Provided during account setup to regain access if you lose your authenticator device
+- **Session management** - CLI sessions automatically expire after a period of inactivity
-### Execution history
+
+ Never share your password, two-factor authentication codes, or recovery codes with anyone. Store your recovery code in
+ a secure location separate from your password.
+
-The **Execution** tab shows a detailed table of all workflow runs:
+## Related guides
-| Column | Description |
-| ------------------ | ----------------------------------------------------------------------------------- |
-| **Execution ID** | Unique identifier for this specific run (click to view details) |
-| **Workflow ID** | The workflow that executed (useful if viewing executions across multiple workflows) |
-| **Status** | Execution result: Success, Failure, or In Progress |
-| **Time Triggered** | When the workflow execution started |
-| **Credits Used** | Cost of this execution in CRE credits |
+Once you have your account set up and authenticated:
-Use the **ALL** dropdown filter to view all executions, only successful ones, or only failures.
+- **[Understanding Organizations](/cre/organization/understanding-organizations)** - Learn about CRE organizations, roles, and permissions
+- **[Linking Wallet Keys](/cre/organization/linking-keys)** - Connect your wallet to deploy workflows
-
- To quickly identify failures, use the filter dropdown to show only failed executions. This helps you focus on
- debugging problematic runs.
-
+---
-### Deployments tab
+# Creating Your Account
+Source: https://docs.chain.link/cre/account/creating-account
+Last Updated: 2025-11-04
-The **Deployments** tab shows the history of workflow deployments and updates.
+Before you can use CRE, you need to create an account. An account is required to log in with the CRE CLI and run any CLI commands, including [simulating](/cre/guides/operations/simulating-workflows) workflows.
-## Debugging individual executions
+There are two ways to create an account:
-Click on any **Execution ID** to view detailed debugging information for that specific run.
+1. **Create a new organization**: Sign up directly on the CRE UI . You'll become the *Owner* of a new organization.
+2. **Join an existing organization**: Accept an invitation from an existing organization Owner. You'll become a *Member* of that organization automatically after account creation.
-### Events tab
+This guide walks you through the account creation process for both scenarios.
-The **Events** tab displays the events triggered by this execution in sequential order:
+## Prerequisites
-- **Event**: The type of event (e.g., `trigger`, `evm:ChainSelector`, `consensus`, etc.)
-- **Status**: Whether the event succeeded, failed, or is in progress (`Success`, `Failure`, `In progress`)
-- **Time Triggered**: When the event occurred
+- A valid email address
+- Access to your email inbox to receive verification codes (and invitation email, if joining an existing organization)
-**What you'll see:**
+## Step 1: Navigate to the CRE UI
-- Trigger activation
-- Capability execution steps (HTTP requests, EVM calls, etc.)
-- Consensus operations
+There are two ways to begin the account creation process:
-
- The Events tab shows system-level events only. To see your custom log messages (e.g., `runtime.log()` in TypeScript or
- `logger.Info()` in Go), switch to the **Logs** tab.
-
+### Option A: Create a new organization
-### Logs tab
+In this option, you'll create a new organization and become the *Owner* of that organization.
-The **Logs** tab shows only user-emitted logs from your workflow code:
+Go to app.chain.link/cre/discover and click the **"Create an account"** button.
-- Each log entry displays a timestamp, log level (e.g., `INFO`), and your custom message
-- This is where you'll see output from `runtime.log()` (TypeScript) or `logger.Info()` (Go)
-- System messages and internal events are excluded for clarity
-- Logs appear in chronological order, showing the complete execution flow of your workflow
+### Option B: Join an existing organization
-**Example log output:**
+In this option, you'll join an existing organization and become a *Member* of that organization.
-```
-time=2025-10-26T13:19:57.055Z level=INFO msg="Successfully fetched offchain value" result=4
-time=2025-10-26T13:19:57.055Z level=INFO msg="Successfully read onchain value" result=22
-time=2025-10-26T13:19:57.055Z level=INFO msg="Final calculated result" result=26
-time=2025-10-26T13:19:57.055Z level=INFO msg="Updating calculator result" consumerAddress=0x00307d6d1f88...
-time=2025-10-26T13:19:57.055Z level=INFO msg="Writing report to consumer contract" offchainValue=4 onchainValue=22
-time=2025-10-26T13:19:57.055Z level=INFO msg="Waiting for write report response"
-```
+If you've received an invitation email from an organization Owner, click the **"Accept Invitation"** button in the email. This will redirect you to the account creation page.
-
- Use `runtime.log()` (TypeScript) or `logger.Info()` (Go) liberally in your workflow code during development. These
- logs appear in the Logs tab and are invaluable for debugging execution flow and inspecting variable values.
-
-## Monitoring best practices
+
+ Only Owners can invite new members. Learn more about [Understanding Organizations](/cre/organization/understanding-organizations).
+
-1. **Check the dashboard regularly**: Review the Activity chart to spot trends in failures or performance degradation
+After choosing either option, continue with the following steps to complete your account creation.
-2. **Investigate failures immediately**: When you see red bars in the chart or failed executions, click through to view logs and identify the root cause
+## Step 2: Enter your information
-3. **Use descriptive log messages**: Include context in your log statements to make debugging easier:
+Fill in the required information:
- ```typescript
- // TypeScript
- runtime.log(`Successfully fetched offchain value: ${offchainValue}`)
- runtime.log(`Final calculated result: ${finalResult}`)
- ```
+1. **Email address**: Enter a valid email address (if not already pre-filled)
+2. **Country**: Select your country from the dropdown
+3. **Terms and policies**: Review and accept the Terms of Service and Privacy Policy
- ```go
- // Go
- logger.Info("Successfully fetched offchain value", "result", offchainValue)
- logger.Info("Final calculated result", "result", finalResult)
- ```
+Click **"Continue"** to proceed.
-4. **Monitor execution frequency**: If a cron-triggered workflow shows fewer executions than expected, verify your cron schedule and workflow status
+## Step 3: Verify your email
-5. **Track credit usage**: Monitor the Total Workflow Spend to understand your workflow's cost over time
+
+ If you're joining an existing organization via an invitation link, **skip this step**. Your email is already verified
+ when you accept the invitation, and you'll proceed directly to setting your password.
+
-## Common debugging scenarios
+Check your email inbox for a message from Chainlink containing a 6-digit verification code. Enter this code in the verification screen and click **Continue**.
-### Workflow not executing
+
+ If you don't see the verification email, check your spam folder. You can also request a new code by clicking "Resend
+ Code" on the verification screen.
+
-**Symptoms:** No recent executions in the dashboard
+## Step 4: Set your password
-**Possible causes:**
+Create a secure password for your account. Your password must meet the security requirements displayed on the screen.
-- Workflow is paused (check the Status field)
-- Trigger is not firing (e.g., invalid cron schedule, no matching onchain events)
-- Workflow was recently deployed and hasn't been triggered yet
+
+ Use a strong, unique password that you don't use for other services. Consider using a password manager to generate and
+ store secure passwords.
+
-**Resolution:**
+## Step 5: Set up two-factor authentication (2FA)
-- Verify the workflow Status is `PENDING` (active)
-- Check your trigger configuration in the code
-- Use [Workflow Simulation](/cre/guides/operations/simulating-workflows) to test locally
+To secure your account, you'll need to set up two-factor authentication. You'll be presented with two authentication method options:
-***
+1. **Fingerprint or Face Recognition** - Use biometric authentication on your device
+2. **Google Authenticator or similar** - Use an authenticator app
-### Execution failures
+### Using an authenticator app
-**Symptoms:** Red bars in Activity chart, failed executions in table
+If you choose the authenticator app option:
-**Possible causes:**
+1. Click **"Google Authenticator or similar"**
+2. Open your preferred authenticator app (such as Google Authenticator, Authy, or 1Password)
+3. Scan the QR code displayed on the screen
+4. Enter the 6-digit one-time code generated by your authenticator app
+5. Click **"Continue"**
-- API request failures (HTTP errors, timeouts)
-- Onchain reverts (contract calls failing)
-- Invalid configuration or missing secrets
-- Logic errors in workflow code
+
+ If you're having difficulty scanning the QR code, click "Trouble Scanning?" on the screen for alternative setup
+ options.
+
-**Resolution:**
+## Step 6: Save your recovery code
-1. Click on the failed Execution ID
-2. Check the **Events** tab to see which step failed
-3. Review the **Logs** tab for error messages from your code
-4. Fix the issue in your code and [update the workflow](/cre/guides/operations/updating-deployed-workflows)
+Your recovery code is essential for regaining access to your account if you lose access to your authenticator device.
-## Related guides
+1. Copy the recovery code displayed on the screen
+2. Store it securely in a password manager or offline location
+3. Check the box "I have safely recorded this code"
+4. Click **"Continue"** to complete account creation
-- **[Deploying Workflows](/cre/guides/operations/deploying-workflows)** - Deploy your first workflow
-- **[Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows)** - Control workflow execution
-- **[Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows)** - Fix issues and deploy updates
-- **[Simulating Workflows](/cre/guides/operations/simulating-workflows)** - Test workflows locally before deploying
+
+ **Never share your recovery code with anyone.** You'll need this code if you ever need to log in without your
+ authenticator device. Store it in a secure location.
+
----
+After completing these steps, you'll be redirected to your CRE dashboard.
-# Custom WASM Builds
-Source: https://docs.chain.link/cre/guides/operations/custom-build
-Last Updated: 2026-02-26
+## What's next?
-By default, `cre workflow deploy` and `cre workflow simulate` compile your Go or TypeScript source to a WASM binary automatically — no build configuration required. This works for most workflows.
+Once your account is created:
-`cre workflow custom-build` is an opt-in feature for advanced users who need to own the build step. Once converted, the CLI delegates compilation to a `Makefile` in your workflow directory instead of compiling your source itself.
+1. **[Log in to the CRE CLI](/cre/account/cli-login)** - Authenticate your CLI session
+2. **If you created a new organization (Owner)**: [Invite team members](/cre/organization/inviting-members) to collaborate on workflows
-## When to use custom WASM builds
+---
+
+# Logging in with the CLI
+Source: https://docs.chain.link/cre/account/cli-login
+Last Updated: 2026-03-26
+To deploy and manage workflows with the CRE CLI, you need to authenticate your CLI session with your CRE account. This guide walks you through the browser-based login process.
-
- Automatic builds are the default and work for the vast majority of workflows. Use custom builds only when you have a specific reason to take control of the compilation step.
+
+
+ If you need to authenticate without a browser (e.g., in a CI/CD pipeline), use [API key authentication](/cre/reference/cli/authentication#api-key-authentication) instead.
-Generally, you should consider using custom WASM builds only when you have a specific reason to take control of the compilation step. Custom workflows are particularly useful for teams that need to use a custom compiler version or toolchain that differs from the CRE default compiler.
+## Prerequisites
-Common reasons to use custom WASM builds:
+- [CRE CLI installed](/cre/getting-started/cli-installation) on your machine
+- [CRE account created](/cre/account/creating-account)
+- Access to your authenticator app for two-factor authentication
-- **Custom compiler flags or build tags**: Add optimization flags, conditional compilation tags, or other build-time settings not exposed by the CLI's built-in compiler
-- **CI/CD pipelines**: Build the WASM artifact once in your pipeline and promote it across environments without recompiling
-- **Pre-build validation**: Add linting, type checking, formatting, or security scanning steps before compilation
-- **Non-standard toolchains**: Use a custom compiler version or toolchain that differs from the CLI default
-- **Language and SDK extensions**: Integrate code from other languages or custom SDKs into your build pipeline
+## Login process
-## Convert a workflow to custom build
+### Step 1: Initiate login from the terminal
-Run the following command from your project root:
+Open your terminal and run the login command:
```bash
-cre workflow custom-build ./my-workflow
+cre login
```
-You will be prompted to confirm before any changes are made. To skip the prompt, use `--force`.
-
-
-
- This modifies your `workflow.yaml`, updating `workflow-path` to `./wasm/workflow.wasm` for all targets (e.g. `staging-settings`, `production-settings`). After conversion, the CLI no longer compiles your source automatically. Your `Makefile` is responsible for producing the binary.
-
- There is no automated way to reverse this with the CLI, but you can do it manually:
+This command will automatically open your default web browser to begin the authentication process.
- 1. Edit `my-workflow/workflow.yaml`: change `workflow-path` back from `"./wasm/workflow.wasm"` to `"."` in each target
- 2. Delete `my-workflow/Makefile` and the `my-workflow/wasm/` directory
+
+ If your browser doesn't open automatically, the CLI will display a URL that you can manually copy and paste into your
+ browser.
-The following changes are made to your workflow:
+### Step 2: Enter your email address
-- Updates `workflow-path` to `./wasm/workflow.wasm` in your `workflow.yaml` for all targets
-- Creates a `Makefile` in your workflow directory with a `build` target
-- Creates a `wasm/` output directory
+In the browser window that opens, enter the email address associated with your CRE account and click **"Continue"**.
-## Build and simulate
+### Step 3: Enter your password
-After conversion, install dependencies (TypeScript only), then build and simulate:
+Enter your account password and click **"Continue"**.
-```bash
-# TypeScript only
-bun install
+### Step 4: Complete two-factor authentication
-make build
-cre workflow simulate ./my-workflow --target staging-settings
-```
+You'll be prompted to complete two-factor authentication based on the method you configured during account creation:
-The CLI picks up the compiled binary at `wasm/workflow.wasm` automatically.
+- **If you set up an authenticator app**: Open your authenticator app and enter the 6-digit one-time code it generates for your CRE account.
+- **If you set up biometric authentication**: Use your fingerprint or face recognition as prompted by your device.
-## Try it yourself
+Example of entering a one-time code from an authenticator app:
-Walk through the full custom build flow end to end using a hello-world project.
+### Step 5: Confirm successful login
-**1. Convert your workflow to a custom build:** Run the following command from your project root:
+Once authenticated, you'll see a confirmation message in your browser:
+
+You can now close the browser window and return to your terminal. Your terminal will display:
```bash
-cre workflow custom-build ./my-workflow
+Login completed successfully
```
-**2. Open the generated `Makefile`:** In the `my-workflow` directory, you'll see a new `Makefile` with a `build` target.
+Your CLI session is authenticated and ready to use.
-Code snippet for my-workflow/Makefile:
+In the terminal, the CLI may show **“Fetching user context…”** while it downloads your organization’s tenant configuration from the platform. It then writes **`~/.cre/context.yaml`** (registry manifest: vault gateway URL, registries, secrets auth flows, and related fields). That file is separate from your credentials file (`cre.yaml`). For details and a sanitized example, see [Tenant context cache](/cre/reference/cli/authentication#tenant-context-cache).
-```bash
-.PHONY: build
+---
-build:
- bun cre-compile main.ts wasm/workflow.wasm
-```
+# Managing Authentication
+Source: https://docs.chain.link/cre/account/managing-auth
+Last Updated: 2026-03-26
-Install dependencies and run the initial build:
+This guide covers how to manage your CLI authentication, including browser-based login, API key authentication, checking your status, handling session expiration, and logging out.
-```bash
-# TypeScript only
-bun install
+## Logging in
-make build
-cre workflow simulate ./my-workflow --target staging-settings
-```
+To authenticate your CLI with your CRE account, use the `cre login` command. This opens a browser window where you'll enter your credentials and complete two-factor authentication.
-For a hello-world workflow you'll see output like `"Hello world!"`.
+For detailed login instructions, see the [Logging in with the CLI](/cre/account/cli-login) guide.
-**3. Add a custom step to your `Makefile`** (highlighted line shows what to add):
+Browser login stores **`~/.cre/cre.yaml`** (credentials) and **`~/.cre/context.yaml`** (cached **tenant context**: registry manifest from the platform, including vault gateway URL and related settings). **`cre logout`** removes both. For a full description and a sample `context.yaml` shape, see [Tenant context cache](/cre/reference/cli/authentication#tenant-context-cache).
-Code snippet for my-workflow/Makefile:
+## API key authentication
-```bash
-.PHONY: build
-build:
- echo "Running my custom build step..." # highlight-line
- bun cre-compile main.ts wasm/workflow.wasm
-```
+
+ API key authentication requires your account to have Early Access approval for deployment. To request Early Access , please share details about your project and use case—this helps us provide better support as you build with CRE.
+
-**4. Rebuild and simulate again:** Run the following commands from your project root:
+For CI/CD pipelines or headless environments where a browser is not available, you can authenticate using the `CRE_API_KEY` environment variable. When set, the CLI uses the API key automatically — no `cre login` required.
```bash
-make build
-cre workflow simulate ./my-workflow --target staging-settings
+export CRE_API_KEY="your-api-key"
+cre whoami
```
-When `make build` runs you'll see `Running my custom build step...` printed before compilation.
+API keys are created in the **APIs** tab of the **Organization** page in the CRE platform . For full details, see [API Key Authentication](/cre/reference/cli/authentication#api-key-authentication).
-Swap the `echo` for any real step: type checking, linting, code generation, or a custom compiler invocation.
+## Session expiration
-## Generated Makefile
+Your CLI session remains authenticated until you explicitly log out or until your session expires. When your session expires, you'll need to log in again.
-The generated `Makefile` is ready to use. The only requirement is that `make build` produces `wasm/workflow.wasm`.
+If you attempt to run a command with an expired session, you'll see an error:
-**Go:**
+```bash
+Error: failed to attach credentials: failed to load credentials: you are not logged in, try running cre login
+```
-```makefile
-.PHONY: build
+To resolve this, simply run `cre login` again to re-authenticate.
-build:
- GOOS=wasip1 GOARCH=wasm CGO_ENABLED=0 go build -o wasm/workflow.wasm -trimpath -ldflags="-buildid= -w -s" .
+## Checking authentication status
+
+To verify that you're logged in and view your account details, use the `cre whoami` command:
+
+```bash
+cre whoami
```
-**TypeScript:**
+This command displays your account information:
-```makefile
-.PHONY: build
+```bash
+Account details retrieved:
-build:
- bun cre-compile main.ts wasm/workflow.wasm
+Email: email@domain.com
+Organization ID: org_mEMRknbVURM9DWsB
+Deploy Access: Not enabled (run 'cre account access' to request)
```
-## Customizing the Makefile
+If you're not logged in, you'll receive an error message prompting you to run `cre login`.
-Edit the generated `Makefile` to add any steps your build requires.
+To check your deploy access status or submit a request, see [Requesting Deploy Access](/cre/account/deploy-access).
-**Example: Go with build tags:**
+## Logging out
-```makefile
-.PHONY: build
+To explicitly end your CLI session and remove your stored credentials **and cached tenant context** (`context.yaml`), use the `cre logout` command:
-build:
- GOOS=wasip1 GOARCH=wasm CGO_ENABLED=0 go build -tags mytag -o wasm/workflow.wasm -trimpath -ldflags="-buildid= -w -s" .
+```bash
+cre logout
```
-**Example: TypeScript with type checking, linting, and formatting:**
-
-```makefile
-.PHONY: build format lint typecheck
+After logging out, you'll need to run `cre login` again to authenticate future CLI commands.
-format:
- bun run format
-lint: format
- bun run lint
-typecheck: lint
- bun run typecheck
+---
-build: typecheck
- bun cre-compile main.ts wasm/workflow.wasm
-```
+# Requesting Deploy Access
+Source: https://docs.chain.link/cre/account/deploy-access
+Last Updated: 2026-02-26
-## Learn more
+Deploying workflows to a Chainlink DON requires Early Access approval. You can request access in two ways:
-- [`cre workflow custom-build` reference](/cre/reference/cli/workflow#cre-workflow-custom-build): Command flags and usage
-- [Simulating Workflows](/cre/guides/operations/simulating-workflows): Testing your workflow locally
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows): Deploying to the Workflow Registry
+- **From the CLI** — Run `cre account access` to check your status or submit a request directly from your terminal
+- **From the web** — Visit app.chain.link/cre/request-access to fill out the request form
----
+## Check your access status
-# Account
-Source: https://docs.chain.link/cre/account
-Last Updated: 2026-02-12
+Run the following command to see your current deployment access status:
-Your CRE account is required to use the CRE CLI. You must be authenticated to run CLI commands, including simulating workflows, deploying workflows, and managing deployed workflows. You can authenticate using the browser-based `cre login` flow or an [API key](/cre/reference/cli/authentication#api-key-authentication) for CI/CD and headless environments(\*). This section covers everything you need to know about creating and managing your account.
+```bash
+cre account access
+```
-(\*) API key authentication requires your account to have Early Access approval.
+Your access status is also shown when you run `cre whoami`:
-## What you'll need
+```bash
+cre whoami
+```
-To use CRE, you need:
+```
+Account details retrieved:
-1. **A CRE account** - Created through the web interface at app.chain.link/cre/discover (to create a new organization) or via an invitation link from an organization Owner (to join an existing organization)
-2. **Two-factor authentication** - Set up during account creation for security
-3. **CLI authentication** - Connect your CLI to your account using `cre login` or an [API key](/cre/reference/cli/authentication#api-key-authentication)
+Email: email@domain.com
+Organization ID: org_mEMRknbVURM9DWsB
+Deploy Access: Not enabled (run 'cre account access' to request)
+```
-## Account guides
+## Request deploy access
-- **[Creating Your Account](/cre/account/creating-account)** - Step-by-step guide to creating a new CRE account through the CRE UI
-- **[Logging in with the CLI](/cre/account/cli-login)** - Authenticate your CLI with your CRE account to run commands
-- **[Managing Authentication](/cre/account/managing-auth)** - Check your login status, handle session expiration, and log out
-- **[Requesting Deploy Access](/cre/account/deploy-access)** - Check your deployment access status or submit a request for Early Access
+If your organization does not have deploy access, `cre account access` will prompt you to submit a request:
-## Security features
+```
+! Deployment access is not yet enabled for your organization.
-Your CRE account includes several security features:
+ Request deployment access? Yes
+```
-- **Two-factor authentication (2FA)** - Required during login for an additional layer of security
-- **Recovery codes** - Provided during account setup to regain access if you lose your authenticator device
-- **Session management** - CLI sessions automatically expire after a period of inactivity
+After confirming, you'll be asked to briefly describe what you're building:
-
- Never share your password, two-factor authentication codes, or recovery codes with anyone. Store your recovery code in
- a secure location separate from your password.
-
+```
+ Briefly describe your use case
+ What are you building with CRE?
+```
-## Related guides
+Once submitted, you'll see:
-Once you have your account set up and authenticated:
+```
+✓ Access request submitted successfully!
-- **[Understanding Organizations](/cre/organization/understanding-organizations)** - Learn about CRE organizations, roles, and permissions
-- **[Linking Wallet Keys](/cre/organization/linking-keys)** - Connect your wallet to deploy workflows
+Our team will review your request and get back to you via email shortly.
+```
----
+You'll receive a confirmation email, and the Chainlink team will follow up once your request has been reviewed.
-# Creating Your Account
-Source: https://docs.chain.link/cre/account/creating-account
-Last Updated: 2025-11-04
-Before you can use CRE, you need to create an account. An account is required to log in with the CRE CLI and run any CLI commands, including [simulating](/cre/guides/operations/simulating-workflows) workflows.
+
+ Deploy access is only required for `cre workflow deploy`. You can continue developing and simulating workflows locally with `cre workflow simulate` while your request is under review.
+
-There are two ways to create an account:
+## What happens after approval
-1. **Create a new organization**: Sign up directly on the CRE UI . You'll become the *Owner* of a new organization.
-2. **Join an existing organization**: Accept an invitation from an existing organization Owner. You'll become a *Member* of that organization automatically after account creation.
+Once your organization is granted deploy access, `cre whoami` will show:
-This guide walks you through the account creation process for both scenarios.
+```
+Deploy Access: Enabled
+```
-## Prerequisites
+You can then use `cre workflow deploy` to deploy workflows to the Workflow Registry. See [Deploying Workflows](/cre/guides/operations/deploying-workflows) for next steps.
-- A valid email address
-- Access to your email inbox to receive verification codes (and invitation email, if joining an existing organization)
+## Prompted automatically
-## Step 1: Navigate to the CRE UI
+You don't need to run `cre account access` proactively. The CLI will prompt you to request access automatically in two situations:
-There are two ways to begin the account creation process:
+- When you run `cre workflow deploy` without access
+- After a successful `cre workflow simulate`, as a reminder that deployment is available once access is granted
-### Option A: Create a new organization
+---
-In this option, you'll create a new organization and become the *Owner* of that organization.
+# Organization
+Source: https://docs.chain.link/cre/organization
+Last Updated: 2025-11-04
-Go to app.chain.link/cre/discover and click the **"Create an account"** button.
+CRE organizations enable teams to collaborate on workflow development and deployment. An organization provides a shared workspace where multiple members can deploy workflows, link wallet addresses, and monitor execution activity together.
-### Option B: Join an existing organization
+## Organization guides
-In this option, you'll join an existing organization and become a *Member* of that organization.
+- **[Understanding Organizations](/cre/organization/understanding-organizations)** - Learn how organizations work, including roles, permissions, and shared resources
+- **[Linking Wallet Keys](/cre/organization/linking-keys)** - Connect your wallet address to deploy and manage workflows
+- **[Inviting Team Members](/cre/organization/inviting-members)** - Add colleagues to your organization (Owner only)
-If you've received an invitation email from an organization Owner, click the **"Accept Invitation"** button in the email. This will redirect you to the account creation page.
+---
+# Understanding Organizations
+Source: https://docs.chain.link/cre/organization/understanding-organizations
+Last Updated: 2025-11-04
-
- Only Owners can invite new members. Learn more about [Understanding Organizations](/cre/organization/understanding-organizations).
-
+## What is an organization?
-After choosing either option, continue with the following steps to complete your account creation.
+A CRE organization is a collaborative workspace that allows multiple team members to deploy, manage, and monitor workflows together. When you create a CRE account, you either start a new organization (becoming the *Owner*) or join an existing one (becoming a *Member*).
-## Step 2: Enter your information
+An organization serves as a container for:
-Fill in the required information:
+- **Multiple team members** with different roles (Owner and Members)
+- **Linked wallet addresses** from all team members
+- **Deployed workflows** visible to all organization members
+- **Shared monitoring** of workflow executions and activity
-1. **Email address**: Enter a valid email address (if not already pre-filled)
-2. **Country**: Select your country from the dropdown
-3. **Terms and policies**: Review and accept the Terms of Service and Privacy Policy
+Organizations enable teams to collaborate on CRE workflows while maintaining individual control over their own wallet addresses and secrets.
-Click **"Continue"** to proceed.
+## Organization structure
-## Step 3: Verify your email
+### Single Owner model
-
- If you're joining an existing organization via an invitation link, **skip this step**. Your email is already verified
- when you accept the invitation, and you'll proceed directly to setting your password.
-
+Every organization has exactly **one Owner**—the person who first created the organization account. The Owner role:
-Check your email inbox for a message from Chainlink containing a 6-digit verification code. Enter this code in the verification screen and click **Continue**.
+- Cannot be transferred or changed
+- Has full administrative control
+- Can invite new Members to join
+- Can link wallet addresses and deploy workflows
-
- If you don't see the verification email, check your spam folder. You can also request a new code by clicking "Resend
- Code" on the verification screen.
-
+### Multiple Members
-## Step 4: Set your password
+Members are users invited by the Owner to join the organization. Each member:
-Create a secure password for your account. Your password must meet the security requirements displayed on the screen.
+- Joins automatically after accepting the invitation and creating their account
+- Can link their own wallet addresses to the organization
+- Can deploy and manage their own workflows
+- Views all organization workflows in the shared dashboard
-
- Use a strong, unique password that you don't use for other services. Consider using a password manager to generate and
- store secure passwords.
-
+### Shared visibility
-## Step 5: Set up two-factor authentication (2FA)
+All organization members can:
-To secure your account, you'll need to set up two-factor authentication. You'll be presented with two authentication method options:
+1. **View linked wallet keys** - Use `cre account list-key` to see all addresses linked to the organization by any member
+2. **Monitor all workflows** - Access app.chain.link/cre/workflows to view:
+ - All deployed workflows across the organization
+ - Recent execution history
+ - Workflow status (Active, Paused, Pending)
+ - Execution success/failure metrics
+ - Activity graphs and trends
-1. **Fingerprint or Face Recognition** - Use biometric authentication on your device
-2. **Google Authenticator or similar** - Use an authenticator app
+## Organization roles
-### Using an authenticator app
+CRE uses a simple role-based access control system with two roles:
-If you choose the authenticator app option:
+| Role | Description | Permissions | How to obtain |
+| ---------- | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- |
+| **Owner** | The person who first created the organization account | Full access to all organization resources and workflows Invite new members to the organization Manage organization settings Deploy, activate, pause, update, and delete workflows View all organization workflows Link wallet addresses to the organization Deploy and manage workflows under their linked addresses Access workflow execution data
- If you're having difficulty scanning the QR code, click "Trouble Scanning?" on the screen for alternative setup
- options.
+- There is only one Owner per organization
+- Owner permissions cannot be transferred
+- Only Owners can invite new Members
+- Members automatically join after accepting the invitation and creating an account
+
+
+
+ Additional roles with more granular permissions may be added in future releases to provide more flexible access control for larger teams.
-## Step 6: Save your recovery code
+## Learn more
-Your recovery code is essential for regaining access to your account if you lose access to your authenticator device.
+- **[Inviting Team Members](/cre/organization/inviting-members)** - How Owners can add Members to the organization
+- **[Linking Wallet Keys](/cre/organization/linking-keys)** - How to link your wallet address to deploy workflows
+- **[Creating Your Account](/cre/account/creating-account)** - How to create an account and join or create an organization
+- **[Deploying Workflows](/cre/guides/operations/deploying-workflows)** - Deploy your first workflow after linking a key
-1. Copy the recovery code displayed on the screen
-2. Store it securely in a password manager or offline location
-3. Check the box "I have safely recorded this code"
-4. Click **"Continue"** to complete account creation
+---
-
- **Never share your recovery code with anyone.** You'll need this code if you ever need to log in without your
- authenticator device. Store it in a secure location.
-
+# Linking Wallet Keys
+Source: https://docs.chain.link/cre/organization/linking-keys
+Last Updated: 2025-11-04
-After completing these steps, you'll be redirected to your CRE dashboard.
+Before you can deploy workflows to the public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`), you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages public CRE workflows—associating it with your organization and allowing you to deploy and manage workflows through the onchain registry.
-## What's next?
+Private registry workflows (`deployment-registry: "private"`) do not require key linking. They are managed with your CRE login session.
-Once your account is created:
+## What is key linking?
-1. **[Log in to the CRE CLI](/cre/account/cli-login)** - Authenticate your CLI session
-2. **If you created a new organization (Owner)**: [Invite team members](/cre/organization/inviting-members) to collaborate on workflows
+Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the public onchain Workflow Registry.
----
+**Key benefits:**
-# Logging in with the CLI
-Source: https://docs.chain.link/cre/account/cli-login
-Last Updated: 2026-03-26
+- Multiple team members can link their own addresses to the same organization
+- Each linked address can independently deploy and manage public onchain registry workflows
+- Addresses are labeled for easy identification (e.g., "Production Wallet", "Dev Wallet")
+- All linked addresses are visible to organization members via cre account list-key
-To deploy and manage workflows with the CRE CLI, you need to authenticate your CLI session with your CRE account. This guide walks you through the browser-based login process.
+**Important constraints:**
+- **One organization per address**: Each wallet address can only be linked to one CRE organization at a time. If you need to use the same address with a different organization, you must first [unlink it](#unlinking-a-key) from the current organization.
+- **Maximum 2 keys per organization**: Each organization can link a maximum of 2 web3 keys. If you need to link a third key, you must first [unlink](#unlinking-a-key) one of the existing keys.
-
- If you need to authenticate without a browser (e.g., in a CI/CD pipeline), use [API key authentication](/cre/reference/cli/authentication#api-key-authentication) instead.
+However, an organization can have multiple wallet addresses linked to it, allowing team members to use their own addresses or enabling separation between development, staging, and production environments.
+
+
+
+ If you try to link an address that's already registered with another organization, the CLI will display an error. To use this address with your current organization, you must first unlink it from the other organization using cre account unlink-key (note: this will delete all workflows registered under that address in the other organization).
## Prerequisites
-- [CRE CLI installed](/cre/getting-started/cli-installation) on your machine
-- [CRE account created](/cre/account/creating-account)
-- Access to your authenticator app for two-factor authentication
+Before linking a key, ensure you have:
-## Login process
+- **CRE CLI installed and authenticated**: See [CLI Installation](/cre/getting-started/cli-installation) and [Logging in with the CLI](/cre/account/cli-login)
+- **A CRE project directory**: You must run the command from a project directory that contains a `project.yaml` file
+- **Private key in `.env`**: Set `CRE_ETH_PRIVATE_KEY=` (without `0x` prefix) in your `.env` file
+- **Funded wallet**: Your wallet must have ETH on Ethereum Mainnet to pay for gas fees (the Workflow Registry contract is deployed on Ethereum Mainnet)
+- **Unlinked address**: The wallet address must not already be linked to another CRE organization. Each address can only be associated with one organization at a time.
-### Step 1: Initiate login from the terminal
-Open your terminal and run the login command:
+
+ Your `.env` file contains sensitive private keys. Ensure it's listed in `.gitignore` and never committed to version control.
+
-```bash
-cre login
-```
+## Linking your first key
-This command will automatically open your default web browser to begin the authentication process.
+The easiest way to link a key is to let the deployment process handle it automatically. When you first try to [deploy a workflow](/cre/guides/operations/deploying-workflows) with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI will detect that your address isn't linked and prompt you to link it.
-
- If your browser doesn't open automatically, the CLI will display a URL that you can manually copy and paste into your
- browser.
-
+### Automatic linking during deployment
-### Step 2: Enter your email address
+1. Navigate to your project directory (where your `.env` file is located)
-In the browser window that opens, enter the email address associated with your CRE account and click **"Continue"**.
+2. Attempt to deploy a workflow:
-### Step 3: Enter your password
+ ```bash
+ cre workflow deploy my-workflow --target production-settings
+ ```
-Enter your account password and click **"Continue"**.
+3. The CLI will detect that your address isn't linked and prompt you:
-### Step 4: Complete two-factor authentication
+ ```bash
+ Verifying ownership...
+ Workflow owner link status: owner=, linked=false
+ Owner not linked. Attempting auto-link: owner=
+ Linking web3 key to your CRE organization
+ Target : production-settings
+ ✔ Using Address :
-You'll be prompted to complete two-factor authentication based on the method you configured during account creation:
+ ✔ Provide a label for your owner address: █
+ ```
-- **If you set up an authenticator app**: Open your authenticator app and enter the 6-digit one-time code it generates for your CRE account.
-- **If you set up biometric authentication**: Use your fingerprint or face recognition as prompted by your device.
+4. Enter a descriptive label for your address
-Example of entering a one-time code from an authenticator app:
+5. Review the transaction details and confirm
-### Step 5: Confirm successful login
+The CLI will submit the transaction and continue with the deployment once the key is linked.
-Once authenticated, you'll see a confirmation message in your browser:
+### Manual linking
-You can now close the browser window and return to your terminal. Your terminal will display:
+You can also link a key manually before attempting to deploy:
```bash
-Login completed successfully
+cre account link-key --target production-settings
```
-Your CLI session is authenticated and ready to use.
-
-In the terminal, the CLI may show **“Fetching user context…”** while it downloads your organization’s tenant configuration from the platform. It then writes **`~/.cre/context.yaml`** (registry manifest: vault gateway URL, registries, secrets auth flows, and related fields). That file is separate from your credentials file (`cre.yaml`). For details and a sanitized example, see [Tenant context cache](/cre/reference/cli/authentication#tenant-context-cache).
+**Interactive flow:**
----
+1. The CLI derives your public address from the private key in `.env`
+2. You're prompted to provide a label
+3. The CLI checks if the address is already linked
+4. Transaction details are displayed (chain, contract address, estimated gas cost)
+5. You confirm to execute the transaction
+6. The transaction is submitted and you receive a block explorer link
-# Managing Authentication
-Source: https://docs.chain.link/cre/account/managing-auth
-Last Updated: 2026-03-26
+**Example output:**
-This guide covers how to manage your CLI authentication, including browser-based login, API key authentication, checking your status, handling session expiration, and logging out.
+```bash
+Linking web3 key to your CRE organization
+Target : production-settings
+✔ Using Address :
-## Logging in
+Provide a label for your owner address:
-To authenticate your CLI with your CRE account, use the `cre login` command. This opens a browser window where you'll enter your credentials and complete two-factor authentication.
+Checking existing registrations...
+✓ No existing link found for this address
+Starting linking: owner=, label=
+Contract address validation passed
+Transaction details:
+ Chain Name: ethereum-mainnet
+ To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5 # Workflow Registry contract address
+ Function: LinkOwner
+ ...
+Estimated Cost:
+ Gas Price: 0.12450327 gwei
+ Total Cost: 0.00001606 ETH
+? Do you want to execute this transaction?:
+ ▸ Yes
+ No
+```
-For detailed login instructions, see the [Logging in with the CLI](/cre/account/cli-login) guide.
+After confirming, you'll see:
-Browser login stores **`~/.cre/cre.yaml`** (credentials) and **`~/.cre/context.yaml`** (cached **tenant context**: registry manifest from the platform, including vault gateway URL and related settings). **`cre logout`** removes both. For a full description and a sample `context.yaml` shape, see [Tenant context cache](/cre/reference/cli/authentication#tenant-context-cache).
+```bash
+Transaction confirmed
+View on explorer: https://etherscan.io/tx/
-## API key authentication
+[OK] web3 address linked to your CRE organization successfully
+→ You can now deploy public onchain registry workflows using this address
+```
-
- API key authentication requires your account to have Early Access approval for deployment. To request Early Access , please share details about your project and use case—this helps us provide better support as you build with CRE.
-
+## Viewing linked keys
-For CI/CD pipelines or headless environments where a browser is not available, you can authenticate using the `CRE_API_KEY` environment variable. When set, the CLI uses the API key automatically — no `cre login` required.
+To see all addresses linked to your organization:
```bash
-export CRE_API_KEY="your-api-key"
-cre whoami
+cre account list-key
```
-API keys are created in the **APIs** tab of the **Organization** page in the CRE platform . For full details, see [API Key Authentication](/cre/reference/cli/authentication#api-key-authentication).
+**Example output:**
-## Session expiration
+```bash
+Workflow owners retrieved successfully:
-Your CLI session remains authenticated until you explicitly log out or until your session expires. When your session expires, you'll need to log in again.
+Linked Owners:
-If you attempt to run a command with an expired session, you'll see an error:
+ 1. JohnProd
+ Owner Address:
+ Status: VERIFICATION_STATUS_SUCCESSFULL
+ Verified At: 2025-10-21T17:22:24.394249Z
+ Chain Selector: 5009297550715157269 # Chain selector for Ethereum Mainnet
+ Contract Address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5 # Workflow Registry contract address
-```bash
-Error: failed to attach credentials: failed to load credentials: you are not logged in, try running cre login
+ 2. JaneProd
+ Owner Address:
+ Status: VERIFICATION_STATUS_SUCCESSFULL
+ Verified At: 2025-10-21T17:22:24.394249Z
+ Chain Selector: 5009297550715157269 # Chain selector for Ethereum Mainnet
+ Contract Address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5 # Workflow Registry contract address
```
-To resolve this, simply run `cre login` again to re-authenticate.
+**Understanding the output:**
-## Checking authentication status
+- **Label**: The friendly name you provided (e.g., "JohnProd", "JaneProd")
+- **Owner Address**: The public address linked to your organization
+- **Status**: `VERIFICATION_STATUS_SUCCESSFULL` (linked and verified)
+- **Verified At**: Timestamp when the link was confirmed onchain
+- **Chain Selector**: The chain identifier where the Workflow Registry contract is deployed
+- **Contract Address**: The Workflow Registry contract address
-To verify that you're logged in and view your account details, use the `cre whoami` command:
-```bash
-cre whoami
-```
+
+ All members of your organization can see all linked addresses using `cre account list-key`. This helps teams coordinate workflow ownership and deployment.
+
-This command displays your account information:
+## Linking multiple addresses
-```bash
-Account details retrieved:
+Your organization can link **up to 2 wallet addresses**. Each individual address can only be linked to one organization at a time.
-Email: email@domain.com
-Organization ID: org_mEMRknbVURM9DWsB
-Deploy Access: Not enabled (run 'cre account access' to request)
-```
+This is useful for:
-If you're not logged in, you'll receive an error message prompting you to run `cre login`.
+- **Separation of concerns**: Different addresses for development, staging, and production
+- **Team collaboration**: Each team member uses their own address
+- **Multi-sig wallets**: Link a multi-sig address alongside individual addresses
-To check your deploy access status or submit a request, see [Requesting Deploy Access](/cre/account/deploy-access).
+To link another address:
-## Logging out
+1. Update your `.env` file with the new private key
+2. Run `cre account link-key --target ` again
+3. Provide a unique label to distinguish this address
-To explicitly end your CLI session and remove your stored credentials **and cached tenant context** (`context.yaml`), use the `cre logout` command:
+## Unlinking a key
-```bash
-cre logout
-```
+If you need to remove a linked address from your organization, you can use the `cre account unlink-key` command. This is useful when:
-After logging out, you'll need to run `cre login` again to authenticate future CLI commands.
+- Rotating addresses for security reasons
+- Removing addresses that are no longer in use
+- Cleaning up test or development addresses
----
-# Requesting Deploy Access
-Source: https://docs.chain.link/cre/account/deploy-access
-Last Updated: 2026-02-26
+
+ **Unlinking a key will permanently delete all workflows registered under that address.** This action cannot be undone. Make sure you want to permanently remove all associated workflows before proceeding.
+
-Deploying workflows to a Chainlink DON requires Early Access approval. You can request access in two ways:
+To unlink a key:
-- **From the CLI** — Run `cre account access` to check your status or submit a request directly from your terminal
-- **From the web** — Visit app.chain.link/cre/request-access to fill out the request form
+1. Ensure your `.env` file contains the private key of the address you want to unlink
-## Check your access status
+2. Run the unlink command:
-Run the following command to see your current deployment access status:
+ ```bash
+ cre account unlink-key --target production-settings
+ ```
-```bash
-cre account access
-```
+3. Confirm the operation when prompted
-Your access status is also shown when you run `cre whoami`:
+The CLI will submit an onchain transaction to remove the address from the Workflow Registry. After the transaction is confirmed, the address and all its associated workflows will be deleted.
-```bash
-cre whoami
-```
+## Unlinking a key without the original private key
-```
-Account details retrieved:
+If you need to unlink a key but no longer have access to the original private key (for example, the key owner left your organization), you can still complete the unlinking process using a different wallet.
-Email: email@domain.com
-Organization ID: org_mEMRknbVURM9DWsB
-Deploy Access: Not enabled (run 'cre account access' to request)
-```
-## Request deploy access
+
+ **Unlinking a key will permanently delete all workflows registered under that address.** This action cannot be undone. Make sure you want to permanently remove all associated workflows before proceeding.
+
-If your organization does not have deploy access, `cre account access` will prompt you to submit a request:
+### How it works
-```
-! Deployment access is not yet enabled for your organization.
+When you run `cre account unlink-key --unsigned` while logged into your CRE organization, the CLI generates:
- Request deployment access? Yes
-```
+1. An authorization signature proving you have permission to unlink the key (through your CRE organization membership)
+2. Raw transaction data that any funded wallet can submit to the blockchain
-After confirming, you'll be asked to briefly describe what you're building:
-```
- Briefly describe your use case
- What are you building with CRE?
-```
+
+ The authorization is tied to the **organization**, not to the individual who originally linked the key. Any authenticated member of the CRE organization can generate valid unlink authorization for keys linked to that organization.
+
-Once submitted, you'll see:
+### Prerequisites
-```
-✓ Access request submitted successfully!
+- **Logged in to CRE CLI**: You must be authenticated as a member of the CRE organization that owns the key
+- **`workflow-owner-address` configured**: Set this in your `project.yaml` to the address you want to unlink
+- **A funded wallet**: Any wallet with ETH on Ethereum Mainnet to submit the transaction and pay gas fees
-Our team will review your request and get back to you via email shortly.
-```
+### Steps
-You'll receive a confirmation email, and the Chainlink team will follow up once your request has been reviewed.
+1. **Configure your `project.yaml`** with the address you want to unlink:
+ ```yaml
+ production-settings:
+ account:
+ workflow-owner-address: ""
+ # ... other settings
+ ```
-
- Deploy access is only required for `cre workflow deploy`. You can continue developing and simulating workflows locally with `cre workflow simulate` while your request is under review.
-
+2. **Generate the unsigned transaction**:
-## What happens after approval
+ ```bash
+ cre account unlink-key --unsigned --target production-settings
+ ```
-Once your organization is granted deploy access, `cre whoami` will show:
+ **Example output:**
-```
-Deploy Access: Enabled
-```
+ ```bash
+ Unlinking web3 key from your CRE organization
+ Target : production-settings
+ ✔ Using Address : 0x....
-You can then use `cre workflow deploy` to deploy workflows to the Workflow Registry. See [Deploying Workflows](/cre/guides/operations/deploying-workflows) for next steps.
+ Starting unlinking: owner=0x....
+ ✔ Yes
+ Contract address validation passed
+ --unsigned flag detected: transaction not sent onchain.
+ Generating call data for offline signing and submission in your preferred tool:
-## Prompted automatically
+ Ownership unlinking initialized successfully!
-You don't need to run `cre account access` proactively. The CLI will prompt you to request access automatically in two situations:
+ Next steps:
-- When you run `cre workflow deploy` without access
-- After a successful `cre workflow simulate`, as a reminder that deployment is available once access is granted
+ 1. Submit the following transaction on the target chain:
----
+ Chain: ethereum-mainnet
+ Contract Address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
-# Organization
-Source: https://docs.chain.link/cre/organization
-Last Updated: 2025-11-04
+ 2. Use the following transaction data:
-CRE organizations enable teams to collaborate on workflow development and deployment. An organization provides a shared workspace where multiple members can deploy workflows, link wallet addresses, and monitor execution activity together.
+ 39d68c6a000000000000000000...
-## Organization guides
+ Unlinked successfully
+ ```
-- **[Understanding Organizations](/cre/organization/understanding-organizations)** - Learn how organizations work, including roles, permissions, and shared resources
-- **[Linking Wallet Keys](/cre/organization/linking-keys)** - Connect your wallet address to deploy and manage workflows
-- **[Inviting Team Members](/cre/organization/inviting-members)** - Add colleagues to your organization (Owner only)
+3. **Submit the transaction** using any wallet that supports sending transactions with custom data.
----
-# Understanding Organizations
-Source: https://docs.chain.link/cre/organization/understanding-organizations
-Last Updated: 2025-11-04
+
+ **Unlinking a key will permanently delete all workflows registered under that address.** This action cannot be undone. Make sure you want to permanently remove all associated workflows before proceeding.
+
-## What is an organization?
+ Here's an example using MetaMask:
-A CRE organization is a collaborative workspace that allows multiple team members to deploy, manage, and monitor workflows together. When you create a CRE account, you either start a new organization (becoming the *Owner*) or join an existing one (becoming a *Member*).
+ 1. In MetaMask, go to **Settings → Advanced** and enable **"Show hex data"**
+ 2. Click **Send** and enter the contract address as the recipient 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ 3. Set the amount to **0 ETH**
+ 4. Paste the transaction data in the **Hex data** field (add `0x` prefix)
+ 5. Review and confirm the transaction
-An organization serves as a container for:
+ The unlink operation completes once the transaction is confirmed onchain. All workflows registered under that address will be permanently deleted.
-- **Multiple team members** with different roles (Owner and Members)
-- **Linked wallet addresses** from all team members
-- **Deployed workflows** visible to all organization members
-- **Shared monitoring** of workflow executions and activity
+## Non-interactive mode
-Organizations enable teams to collaborate on CRE workflows while maintaining individual control over their own wallet addresses and secrets.
+For automation or CI/CD pipelines, use the `--yes` flag to skip confirmation prompts:
-## Organization structure
+```bash
+cre account link-key --owner-label "CI Pipeline Wallet" --yes --target production-settings
+```
-### Single Owner model
+## Using multi-sig wallets
-Every organization has exactly **one Owner**—the person who first created the organization account. The Owner role:
+If you're using a multi-sig wallet, you'll need to use the `--unsigned` flag to generate raw transaction data that you can then submit through your multi-sig interface (such as Safe).
-- Cannot be transferred or changed
-- Has full administrative control
-- Can invite new Members to join
-- Can link wallet addresses and deploy workflows
+### Prerequisites for multi-sig
-### Multiple Members
+1. Configure your multi-sig address in `project.yaml` under the `account` section:
-Members are users invited by the Owner to join the organization. Each member:
+ ```yaml
+ production-settings:
+ account:
+ workflow-owner-address: ""
+ # ... other settings
+ ```
-- Joins automatically after accepting the invitation and creating their account
-- Can link their own wallet addresses to the organization
-- Can deploy and manage their own workflows
-- Views all organization workflows in the shared dashboard
+2. Ensure your `.env` file contains the private key of any signer from the multi-sig wallet (used only for signature generation, not for sending transactions)
-### Shared visibility
+### Linking a multi-sig address
-All organization members can:
+Run the `link-key` command with the `--unsigned` flag:
-1. **View linked wallet keys** - Use `cre account list-key` to see all addresses linked to the organization by any member
-2. **Monitor all workflows** - Access app.chain.link/cre/workflows to view:
- - All deployed workflows across the organization
- - Recent execution history
- - Workflow status (Active, Paused, Pending)
- - Execution success/failure metrics
- - Activity graphs and trends
+```bash
+cre account link-key --owner-label "SafeWallet" --target production-settings --unsigned
+```
-## Organization roles
+**Example output:**
-CRE uses a simple role-based access control system with two roles:
+```bash
+Linking web3 key to your CRE organization
+Target : production-settings
+✔ Using Address :
-| Role | Description | Permissions | How to obtain |
-| ---------- | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- |
-| **Owner** | The person who first created the organization account | Full access to all organization resources and workflows Invite new members to the organization Manage organization settings Deploy, activate, pause, update, and delete workflows View all organization workflows Link wallet addresses to the organization Deploy and manage workflows under their linked addresses Access workflow execution data , label=SafeWallet
+Contract address validation passed
+--unsigned flag detected: transaction not sent onchain.
+Generating call data for offline signing and submission in your preferred tool:
-**Key points:**
+Ownership linking initialized successfully!
-- There is only one Owner per organization
-- Owner permissions cannot be transferred
-- Only Owners can invite new Members
-- Members automatically join after accepting the invitation and creating an account
+Next steps:
+ 1. Submit the following transaction on the target chain:
+ Chain: ethereum-mainnet
+ Contract Address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
-
- Additional roles with more granular permissions may be added in future releases to provide more flexible access control for larger teams.
-
+ 2. Use the following transaction data:
-## Learn more
+ dc1019690000000000000000000000000000000000000000000000000000000068fd2f9465259a804e880ee30de0fcc2b81ee25d598ee1601e13ace2c2ec10202869706800000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000041bd0f40824a1fdce10ee1091703833fb3d4497b3f681f6edee6b159d217326185407ce16eb1c668c90786421b053d4d25401f422aa90d156c35659d7c3e2e13221b00000000000000000000000000000000000000000000000000000000000000
-- **[Inviting Team Members](/cre/organization/inviting-members)** - How Owners can add Members to the organization
-- **[Linking Wallet Keys](/cre/organization/linking-keys)** - How to link your wallet address to deploy workflows
-- **[Creating Your Account](/cre/account/creating-account)** - How to create an account and join or create an organization
-- **[Deploying Workflows](/cre/guides/operations/deploying-workflows)** - Deploy your first workflow after linking a key
+Linked successfully
+```
----
+### Submitting through your multi-sig interface
-# Linking Wallet Keys
-Source: https://docs.chain.link/cre/organization/linking-keys
-Last Updated: 2025-11-04
+1. **Copy the transaction data** provided in the CLI output
+2. **Open your multi-sig interface** (e.g., Safe app at [https://app.safe.global](https://app.safe.global))
+3. **Create a new transaction** with:
+ - **To address**: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5 (Workflow Registry contract)
+ - **Value**: 0 (no ETH transfer)
+ - **Data**: Paste the transaction data from the CLI output (add 0x prefix if required by your multi-sig interface)
+4. **Submit and collect signatures** from the required number of signers
+5. **Execute the transaction** once you have enough signatures
-Before you can deploy workflows to the public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`), you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages public CRE workflows—associating it with your organization and allowing you to deploy and manage workflows through the onchain registry.
+**Note**: If your multi-sig interface requires the RegistryWorkflow contract ABI, you can copy it from Etherscan .
-Private registry workflows (`deployment-registry: "private"`) do not require key linking. They are managed with your CRE login session.
+### Verifying the multi-sig link
-## What is key linking?
+After the multi-sig transaction is executed onchain, you can verify the link status:
-Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the public onchain Workflow Registry.
+```bash
+cre account list-key
+```
-**Key benefits:**
+Initially, you'll see the address with a `VERIFICATION_STATUS_PENDING` status:
-- Multiple team members can link their own addresses to the same organization
-- Each linked address can independently deploy and manage public onchain registry workflows
-- Addresses are labeled for easy identification (e.g., "Production Wallet", "Dev Wallet")
-- All linked addresses are visible to organization members via cre account list-key
+```bash
+Workflow owners retrieved successfully:
-**Important constraints:**
+Linked Owners:
-- **One organization per address**: Each wallet address can only be linked to one CRE organization at a time. If you need to use the same address with a different organization, you must first [unlink it](#unlinking-a-key) from the current organization.
-- **Maximum 2 keys per organization**: Each organization can link a maximum of 2 web3 keys. If you need to link a third key, you must first [unlink](#unlinking-a-key) one of the existing keys.
+ 1. SafeWallet
+ Owner Address:
+ Status: VERIFICATION_STATUS_PENDING
+ Verified At:
+ Chain Selector: 5009297550715157269 # Chain selector for Ethereum Mainnet
+ Contract Address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5 # Workflow Registry contract address
+```
-However, an organization can have multiple wallet addresses linked to it, allowing team members to use their own addresses or enabling separation between development, staging, and production environments.
+Once the transaction is confirmed onchain, the status will change to `VERIFICATION_STATUS_SUCCESSFULL` and the `Verified At` timestamp will be populated.
-
- If you try to link an address that's already registered with another organization, the CLI will display an error. To use this address with your current organization, you must first unlink it from the other organization using cre account unlink-key (note: this will delete all workflows registered under that address in the other organization).
+
+ Once your multi-sig address is linked, you'll also need to use the `--unsigned` flag for workflow deployment and management commands (`deploy`, `activate`, `pause`, `delete`). See the [Deploying Workflows guide](/cre/guides/operations/deploying-workflows) for more details on using multi-sig wallets with workflow operations.
-## Prerequisites
+## Learn more
-Before linking a key, ensure you have:
+- **[Understanding Organizations](/cre/organization/understanding-organizations)** - Learn about organization structure and shared resources
+- **[Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets)** - Advanced guide for multi-sig wallet workflows
+- **[Account Management CLI Reference](/cre/reference/cli/account)** - Complete reference for `cre account` commands
+- **[Deploying Workflows](/cre/guides/operations/deploying-workflows)** - Deploy your first workflow after linking a key
-- **CRE CLI installed and authenticated**: See [CLI Installation](/cre/getting-started/cli-installation) and [Logging in with the CLI](/cre/account/cli-login)
-- **A CRE project directory**: You must run the command from a project directory that contains a `project.yaml` file
-- **Private key in `.env`**: Set `CRE_ETH_PRIVATE_KEY=` (without `0x` prefix) in your `.env` file
-- **Funded wallet**: Your wallet must have ETH on Ethereum Mainnet to pay for gas fees (the Workflow Registry contract is deployed on Ethereum Mainnet)
-- **Unlinked address**: The wallet address must not already be linked to another CRE organization. Each address can only be associated with one organization at a time.
+---
+# Inviting Team Members
+Source: https://docs.chain.link/cre/organization/inviting-members
+Last Updated: 2025-11-04
-
- Your `.env` file contains sensitive private keys. Ensure it's listed in `.gitignore` and never committed to version control.
+To collaborate with your team on CRE workflows, you can invite members to your organization. This guide walks you through the invitation process.
+
+
+ The first person to create an account for your organization automatically becomes the **Owner**. Only the Owner can
+ invite new members to the organization.
-## Linking your first key
+## Prerequisites
-The easiest way to link a key is to let the deployment process handle it automatically. When you first try to [deploy a workflow](/cre/guides/operations/deploying-workflows) with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI will detect that your address isn't linked and prompt you to link it.
+- You must be logged in to app.chain.link/cre/discover
+- You must be the Owner of your organization
+- The email addresses you're inviting must belong to whitelisted domains
-### Automatic linking during deployment
+## Step 1: Navigate to Organization settings
-1. Navigate to your project directory (where your `.env` file is located)
+In the left sidebar, click on **"Organization"**.
-2. Attempt to deploy a workflow:
+## Step 2: Go to the Members tab
- ```bash
- cre workflow deploy my-workflow --target production-settings
- ```
+Click on the **"Members"** tab to view your organization's members.
-3. The CLI will detect that your address isn't linked and prompt you:
+## Step 3: Start the invitation process
- ```bash
- Verifying ownership...
- Workflow owner link status: owner=, linked=false
- Owner not linked. Attempting auto-link: owner=
- Linking web3 key to your CRE organization
- Target : production-settings
- ✔ Using Address :
+Click the **"Invite"** button in the top right corner.
- ✔ Provide a label for your owner address: █
- ```
+## Step 4: Add team member details
-4. Enter a descriptive label for your address
+Enter the **name** and **email address** of the person you want to invite.
-5. Review the transaction details and confirm
+### Inviting multiple members at once
-The CLI will submit the transaction and continue with the deployment once the key is linked.
+To invite more than one person:
-### Manual linking
+1. Click the **"Add person"** button (visible in the screenshot above)
+2. Enter the name and email for each additional person
+3. Repeat as needed
-You can also link a key manually before attempting to deploy:
+## Step 5: Send invitations
-```bash
-cre account link-key --target production-settings
-```
+Once you've added all the people you want to invite, click the **"Submit"** button in the bottom right corner.
-**Interactive flow:**
+The invited members will receive an email invitation to join your organization.
-1. The CLI derives your public address from the private key in `.env`
-2. You're prompted to provide a label
-3. The CLI checks if the address is already linked
-4. Transaction details are displayed (chain, contract address, estimated gas cost)
-5. You confirm to execute the transaction
-6. The transaction is submitted and you receive a block explorer link
+## What happens next?
-**Example output:**
+After you send invitations:
-```bash
-Linking web3 key to your CRE organization
-Target : production-settings
-✔ Using Address :
+1. **Email notification**: Each invited person receives an email with instructions to join your organization
+2. **Account creation**: If they don't have a CRE account yet, they'll be invited to create one
+3. **Automatic membership**: Once they complete account creation, they'll automatically become members of your organization—no additional acceptance step required
+4. **Access**: They'll immediately have access to your organization's workflows and resources
-Provide a label for your owner address:
+
+ The email addresses you invite must belong to domains that are whitelisted for CRE access. If an invited member's
+ domain is not whitelisted, they won't be able to complete the account creation process.
+
-Checking existing registrations...
-✓ No existing link found for this address
-Starting linking: owner=, label=
-Contract address validation passed
-Transaction details:
- Chain Name: ethereum-mainnet
- To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5 # Workflow Registry contract address
- Function: LinkOwner
- ...
-Estimated Cost:
- Gas Price: 0.12450327 gwei
- Total Cost: 0.00001606 ETH
-? Do you want to execute this transaction?:
- ▸ Yes
- No
-```
+## Related guides
-After confirming, you'll see:
+- [Understanding Organizations](/cre/organization/understanding-organizations) - Learn about organization roles and permissions
+- [Linking Wallet Keys](/cre/organization/linking-keys) - Help new members connect their wallets
-```bash
-Transaction confirmed
-View on explorer: https://etherscan.io/tx/
+---
-[OK] web3 address linked to your CRE organization successfully
+# Capabilities Overview
+Source: https://docs.chain.link/cre/capabilities
+Last Updated: 2025-11-04
-→ You can now deploy public onchain registry workflows using this address
-```
+At the core of the Chainlink Runtime Environment (CRE) is the concept of **Capabilities**. A capability is a modular, decentralized service that performs a specific task. Think of them as the individual "bricks" that you can use to build custom workflows.
-## Viewing linked keys
+Each capability is powered by its own independent Decentralized Oracle Network (DON), which is optimized for that specific task, ensuring security and reliable performance.
-To see all addresses linked to your organization:
+## Invoking Capabilities via the SDK
-```bash
-cre account list-key
-```
+As a developer, you do not interact with these capability DONs directly. Instead, you invoke them through the developer-friendly interfaces provided by the **CRE SDKs** ([Go](/cre/reference/sdk/core-go) and [TypeScript](/cre/reference/sdk/core-ts)), such as the [`evm.Client`](/cre/reference/sdk/evm-client) or the [`http.Client`](/cre/reference/sdk/http-client). The SDK handles the low-level complexity of communicating with the correct DON and processing the consensus-verified result, allowing you to focus on your business logic.
-**Example output:**
+## Available Capabilities
-```bash
-Workflow owners retrieved successfully:
+This section provides a high-level, conceptual overview of the capabilities currently available in CRE.
-Linked Owners:
+- **[Triggers](/cre/capabilities/triggers)**: Event sources that start your workflow executions.
+- **[HTTP](/cre/capabilities/http)**: Fetch and post data from external APIs with decentralized consensus.
+- **[Confidential HTTP](/cre/capabilities/confidential-http)**: Make privacy-preserving API calls with enclave execution, secret injection, and optional response encryption.
+- **[EVM Read & Write](/cre/capabilities/evm-read-write)**: Interact with smart contracts on EVM-compatible blockchains with decentralized consensus.
- 1. JohnProd
- Owner Address:
- Status: VERIFICATION_STATUS_SUCCESSFULL
- Verified At: 2025-10-21T17:22:24.394249Z
- Chain Selector: 5009297550715157269 # Chain selector for Ethereum Mainnet
- Contract Address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5 # Workflow Registry contract address
+All execution capabilities (HTTP, Confidential HTTP, EVM) automatically use [built-in consensus](/cre/concepts/consensus-computing) to validate results across multiple nodes, ensuring security and reliability.
- 2. JaneProd
- Owner Address:
- Status: VERIFICATION_STATUS_SUCCESSFULL
- Verified At: 2025-10-21T17:22:24.394249Z
- Chain Selector: 5009297550715157269 # Chain selector for Ethereum Mainnet
- Contract Address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5 # Workflow Registry contract address
-```
+---
-**Understanding the output:**
+# The Trigger Capability
+Source: https://docs.chain.link/cre/capabilities/triggers
+Last Updated: 2025-11-04
-- **Label**: The friendly name you provided (e.g., "JohnProd", "JaneProd")
-- **Owner Address**: The public address linked to your organization
-- **Status**: `VERIFICATION_STATUS_SUCCESSFULL` (linked and verified)
-- **Verified At**: Timestamp when the link was confirmed onchain
-- **Chain Selector**: The chain identifier where the Workflow Registry contract is deployed
-- **Contract Address**: The Workflow Registry contract address
+**Triggers** are a special type of capability that initiate the execution of your workflow. They are event-driven services that constantly watch for a specific condition to be met. When the condition occurs, the trigger fires and instructs CRE to run the callback function you have registered for that event. Learn more about the [trigger-and-callback model](/cre/#the-trigger-and-callback-model).
+## Trigger types
-
- All members of your organization can see all linked addresses using `cre account list-key`. This helps teams coordinate workflow ownership and deployment.
+CRE provides several types of triggers to start your workflows:
+
+- **Time-based:** The `Cron` trigger fires at a specific time or on a recurring schedule (e.g., "every 5 minutes").
+- **Request-based:** The `HTTP` trigger fires when an external system makes an HTTP request to your workflow's endpoint. HTTP triggers require authorization keys when deployed to ensure only authorized addresses can trigger your workflow.
+- **Onchain Events:** The `EVM Log` trigger fires when a specific event is emitted by a smart contract on a supported blockchain.
+
+
+ **In simulation** (`cre workflow simulate`), triggers are manually selected and executed immediately to test your workflow logic without waiting for real events. This allows rapid iteration during development.
+
+ **In deployed workflows**, the Workflow DON continuously monitors for trigger events and automatically executes your callback when conditions are met. Time-based triggers run on schedule, HTTP triggers respond to incoming requests, and EVM log triggers fire when smart contract events occur.
+
+ See the [Simulating Workflows guide](/cre/guides/operations/simulating-workflows) for details on testing triggers locally.
-## Linking multiple addresses
+## Learn more
-Your organization can link **up to 2 wallet addresses**. Each individual address can only be linked to one organization at a time.
+- **[Using Triggers Guides](/cre/guides/workflow/using-triggers/overview)**: Learn how to use the SDK to register handlers for the different trigger types.
+- **[Triggers SDK Reference](/cre/reference/sdk/triggers/overview)**: See the detailed API reference for trigger configurations and payloads.
-This is useful for:
+---
-- **Separation of concerns**: Different addresses for development, staging, and production
-- **Team collaboration**: Each team member uses their own address
-- **Multi-sig wallets**: Link a multi-sig address alongside individual addresses
+# The HTTP Capability
+Source: https://docs.chain.link/cre/capabilities/http
+Last Updated: 2026-03-17
-To link another address:
+The **HTTP** capability is a decentralized service that allows your workflow to securely interact with any external, offchain API. It can be used to both **fetch data from** and **send data to** other systems.
-1. Update your `.env` file with the new private key
-2. Run `cre account link-key --target ` again
-3. Provide a unique label to distinguish this address
+## Why use a Capability for HTTP Requests?
-## Unlinking a key
+When your workflow needs to interact with an external API, the HTTP capability provides decentralized execution across multiple independent nodes.
-If you need to remove a linked address from your organization, you can use the `cre account unlink-key` command. This is useful when:
+When you use the SDK's `http.Client` to make a request (like a `GET` or a `POST`), you are invoking this capability. CRE instructs each node in a dedicated DON to make the same API request. The nodes' individual responses are then **validated through a consensus protocol**, which ensures they agree on the result before returning it to your workflow.
-- Rotating addresses for security reasons
-- Removing addresses that are no longer in use
-- Cleaning up test or development addresses
+This provides cryptographically verified, tamper-proof execution for your offchain data operations.
+
+ **In local simulation** (`cre workflow simulate`), HTTP requests are made from your local machine to test your API integrations. The simulator processes responses using single-node consensus.
-
- **Unlinking a key will permanently delete all workflows registered under that address.** This action cannot be undone. Make sure you want to permanently remove all associated workflows before proceeding.
+ **In deployed workflows**, the HTTP capability DON executes your API requests across multiple nodes, and responses are validated through Byzantine Fault Tolerant (BFT) consensus before being returned to your workflow.
-To unlink a key:
+## Features
-1. Ensure your `.env` file contains the private key of the address you want to unlink
+- **Multiple headers per request**: Use the `MultiHeaders` field to send multiple headers in a single HTTP request. This is useful for APIs that require multiple authentication or content negotiation headers simultaneously.
-2. Run the unlink command:
+## Learn more
- ```bash
- cre account unlink-key --target production-settings
- ```
+- **[API Interactions Guide](/cre/guides/workflow/using-http-client)**: Learn how to use the SDK to invoke the HTTP capability.
+- **[HTTP Client SDK Reference](/cre/reference/sdk/http-client)**: See the detailed API reference for the `http.Client`.
-3. Confirm the operation when prompted
+---
-The CLI will submit an onchain transaction to remove the address from the Workflow Registry. After the transaction is confirmed, the address and all its associated workflows will be deleted.
+# The EVM Read & Write Capabilities
+Source: https://docs.chain.link/cre/capabilities/evm-read-write
+Last Updated: 2025-11-04
-## Unlinking a key without the original private key
+The **EVM Read & Write** capabilities provide a secure and reliable service for your workflow to interact with smart contracts on any EVM-compatible blockchain.
-If you need to unlink a key but no longer have access to the original private key (for example, the key owner left your organization), you can still complete the unlinking process using a different wallet.
+- **EVM Read:** Allows your workflow to call `view` and `pure` functions on a smart contract to read its state.
+- **EVM Write:** Allows your workflow to call state-changing functions on a smart contract to write data to the blockchain.
+## How it works
-
- **Unlinking a key will permanently delete all workflows registered under that address.** This action cannot be undone. Make sure you want to permanently remove all associated workflows before proceeding.
-
+When you use the SDK's [`evm.Client`](/cre/reference/sdk/evm-client) to interact with a contract, you are invoking these underlying capabilities. This provides a simpler and more reliable developer experience compared to crafting raw RPC calls.
-### How it works
+The SDKs simplify contract interactions with type-safe ABI handling (Go uses generated bindings, TypeScript uses viem), while the underlying CRE infrastructure manages consensus and transaction submission.
-When you run `cre account unlink-key --unsigned` while logged into your CRE organization, the CLI generates:
+### Key features
-1. An authorization signature proving you have permission to unlink the key (through your CRE organization membership)
-2. Raw transaction data that any funded wallet can submit to the blockchain
+- **Type-safe interactions**: SDKs provide type safety for contract calls (Go bindings offer compile-time safety, TypeScript uses viem for runtime type checking)
+- **Decentralized execution**: Read and write operations are executed across multiple nodes in a DON with cryptographic verification
+- **Decentralized consensus**: Multiple DON nodes independently verify read results and validate write operations before onchain submission
+- **Chain selector support**: Target specific blockchains using Chainlink's chain selector system
+- **Block number flexibility**: Read from finalized, latest, or a specific block number
+- **Error handling**: Comprehensive error reporting for failed calls and transactions
+
+ **In local simulation**, the simulator makes real RPC calls to your configured endpoint.
-
- The authorization is tied to the **organization**, not to the individual who originally linked the key. Any authenticated member of the CRE organization can generate valid unlink authorization for keys linked to that organization.
+ **In deployed workflows**, the EVM capability DON executes contract calls across multiple nodes with decentralized consensus.
-### Prerequisites
+### Understanding EVM Write operations
-- **Logged in to CRE CLI**: You must be authenticated as a member of the CRE organization that owns the key
-- **`workflow-owner-address` configured**: Set this in your `project.yaml` to the address you want to unlink
-- **A funded wallet**: Any wallet with ETH on Ethereum Mainnet to submit the transaction and pay gas fees
+For **EVM Write** operations, your workflow doesn't write directly to your contract. Instead, the data follows a secure multi-step flow:
-### Steps
+1. **Your workflow** generates a cryptographically signed report with your ABI-encoded data
+2. **The EVM Write capability** submits this report to a Chainlink-managed `KeystoneForwarder` contract
+3. **The forwarder** validates the report's cryptographic signatures
+4. **The forwarder** calls your consumer contract's `onReport(bytes metadata, bytes report)` function to deliver the data
-1. **Configure your `project.yaml`** with the address you want to unlink:
+This architecture ensures decentralized consensus, cryptographic verification, and accountability. Your consumer contract must implement the `IReceiver` interface to receive data from the forwarder.
- ```yaml
- production-settings:
- account:
- workflow-owner-address: ""
- # ... other settings
- ```
+Learn more in the [Onchain Write guide](/cre/guides/workflow/using-evm-client/onchain-write/overview-ts).
-2. **Generate the unsigned transaction**:
+## Learn more
- ```bash
- cre account unlink-key --unsigned --target production-settings
- ```
+- **[EVM Chain Interactions Guide](/cre/guides/workflow/using-evm-client/overview)**: Learn how to read from and write to smart contracts
+- **[EVM Client SDK Reference](/cre/reference/sdk/evm-client)**: Detailed API reference for the `evm.Client`
- **Example output:**
+---
- ```bash
- Unlinking web3 key from your CRE organization
- Target : production-settings
- ✔ Using Address : 0x....
+# Consensus Computing in CRE
+Source: https://docs.chain.link/cre/concepts/consensus-computing
+Last Updated: 2025-11-04
- Starting unlinking: owner=0x....
- ✔ Yes
- Contract address validation passed
- --unsigned flag detected: transaction not sent onchain.
- Generating call data for offline signing and submission in your preferred tool:
+**Consensus computing** is the foundational computing paradigm that makes CRE secure and reliable. It ensures that every operation your workflow performs—whether fetching data from an API or reading from a blockchain—is verified by multiple independent nodes before producing a final result.
- Ownership unlinking initialized successfully!
+## What is consensus computing?
- Next steps:
+Consensus computing is when a decentralized network of nodes must form consensus as part of executing code and storing information. Unlike traditional computing where you trust a single server or service, consensus computing provides unique guarantees:
- 1. Submit the following transaction on the target chain:
+- **Tamper-resistance**: No single node can manipulate results
+- **High availability**: The network continues operating even if individual nodes fail
+- **Trust minimization**: You don't need to trust any single entity
+- **Verifiability**: All results are cryptographically verified
- Chain: ethereum-mainnet
- Contract Address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+Blockchains pioneered consensus computing for maintaining asset ledgers and executing smart contracts. CRE extends this paradigm to **any offchain operation**—API calls, computations, and more.
- 2. Use the following transaction data:
+## How CRE uses consensus
- 39d68c6a000000000000000000...
+In CRE, **every execution capability automatically includes decentralized consensus**. Here's how it works:
- Unlinked successfully
- ```
+1. **Independent execution**: When your workflow invokes a capability (like `http.Client` or `evm.Client`), each node in the dedicated capability DON performs the operation independently
+2. **Result collection**: Each node produces its own result based on what it observed
+3. **Consensus protocol**: The DON applies a Byzantine Fault Tolerant (BFT) consensus protocol to validate and aggregate the individual results
+4. **Verified output**: A single, consensus-verified result is returned to your workflow
-3. **Submit the transaction** using any wallet that supports sending transactions with custom data.
+This process happens automatically for every capability call. You don't need to write any special code—consensus is built into the CRE runtime environment.
+## Why this matters for your workflows
-
- **Unlinking a key will permanently delete all workflows registered under that address.** This action cannot be undone. Make sure you want to permanently remove all associated workflows before proceeding.
-
+### Protection against node failures and manipulation
- Here's an example using MetaMask:
+CRE's consensus model protects against individual node failures and malicious behavior. When multiple independent nodes execute the same operation:
- 1. In MetaMask, go to **Settings → Advanced** and enable **"Show hex data"**
- 2. Click **Send** and enter the contract address as the recipient 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- 3. Set the amount to **0 ETH**
- 4. Paste the transaction data in the **Hex data** field (add `0x` prefix)
- 5. Review and confirm the transaction
+- **Node-level resilience**: If some nodes fail or go offline, the network continues operating
+- **Byzantine Fault Tolerance**: Even if some nodes are compromised and return incorrect results, the honest majority ensures the correct outcome
+- **Execution consistency**: All nodes must execute your workflow logic identically, preventing manipulation by individual operators
- The unlink operation completes once the transaction is confirmed onchain. All workflows registered under that address will be permanently deleted.
+### Validated and verified results
-## Non-interactive mode
+Every result your workflow receives has been cryptographically verified and validated across multiple nodes. This provides strong guarantees that:
-For automation or CI/CD pipelines, use the `--yes` flag to skip confirmation prompts:
+- The operation was executed correctly
+- The result matches what independent observers agreed upon
+- No single node operator can manipulate your workflow's execution or outputs
-```bash
-cre account link-key --owner-label "CI Pipeline Wallet" --yes --target production-settings
-```
+### Unified security model
-## Using multi-sig wallets
+With CRE, your **entire institutional-grade smart contract**—not just the onchain parts—benefits from consensus computing. This means:
-If you're using a multi-sig wallet, you'll need to use the `--unsigned` flag to generate raw transaction data that you can then submit through your multi-sig interface (such as Safe).
+- **API responses** are validated across multiple nodes before your workflow uses them
+- **Blockchain reads** are verified by multiple nodes
+- **Blockchain writes** are validated by multiple nodes before being submitted onchain
+- **Computation results** within your workflow are executed consistently across all nodes
-### Prerequisites for multi-sig
+Your workflow inherits the same security and reliability guarantees as blockchain transactions, but for any offchain operation.
-1. Configure your multi-sig address in `project.yaml` under the `account` section:
+## Consensus in practice
- ```yaml
- production-settings:
- account:
- workflow-owner-address: ""
- # ... other settings
- ```
+### HTTP capability
-2. Ensure your `.env` file contains the private key of any signer from the multi-sig wallet (used only for signature generation, not for sending transactions)
+When your workflow makes an API request using `http.Client`, the HTTP capability DON executes your request across multiple nodes. Their responses are validated through a consensus protocol before returning a result to your workflow.
-### Linking a multi-sig address
+This ensures:
-Run the `link-key` command with the `--unsigned` flag:
+- Execution consistency across all nodes
+- Protection against individual node compromise or failure
+- Detection of inconsistent API responses (e.g., due to load balancing or timing)
-```bash
-cre account link-key --owner-label "SafeWallet" --target production-settings --unsigned
-```
+See the [HTTP Capability](/cre/capabilities/http) page for details.
-**Example output:**
+### EVM Read & Write capability
-```bash
-Linking web3 key to your CRE organization
-Target : production-settings
-✔ Using Address :
+When your workflow reads from or writes to a blockchain using `evm.Client`, the EVM capability DON performs the operation across multiple nodes:
-Checking existing registrations...
-✓ No existing link found for this address
-Starting linking: owner=, label=SafeWallet
-Contract address validation passed
---unsigned flag detected: transaction not sent onchain.
-Generating call data for offline signing and submission in your preferred tool:
+- **For reads**: Multiple nodes independently query the blockchain, and consensus validates their responses match
+- **For writes**: Multiple nodes agree on the transaction data before submitting it onchain
-Ownership linking initialized successfully!
+This ensures:
-Next steps:
+- Execution consistency across all nodes
+- Protection against individual node compromise or failure
+- Validated blockchain data before use in your workflow
- 1. Submit the following transaction on the target chain:
- Chain: ethereum-mainnet
- Contract Address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+See the [EVM Read & Write Capability](/cre/capabilities/evm-read-write) page for details.
- 2. Use the following transaction data:
+## Consensus in simulation vs. deployed workflows
- dc1019690000000000000000000000000000000000000000000000000000000068fd2f9465259a804e880ee30de0fcc2b81ee25d598ee1601e13ace2c2ec10202869706800000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000041bd0f40824a1fdce10ee1091703833fb3d4497b3f681f6edee6b159d217326185407ce16eb1c668c90786421b053d4d25401f422aa90d156c35659d7c3e2e13221b00000000000000000000000000000000000000000000000000000000000000
+
+ **In local simulation** (`cre workflow simulate`), consensus uses a single-node model to test your workflow's logic quickly. The "consensus" step still occurs, but involves a single node wrapping its result in a standardized report structure. This allows you to build and test against the final SDK interfaces without the overhead of multi-node consensus.
-Linked successfully
-```
+ **In deployed workflows**, true multi-node Byzantine Fault Tolerant (BFT) consensus is performed across all capability DON operations, providing full decentralized security guarantees.
+
-### Submitting through your multi-sig interface
+## Learn more
-1. **Copy the transaction data** provided in the CLI output
-2. **Open your multi-sig interface** (e.g., Safe app at [https://app.safe.global](https://app.safe.global))
-3. **Create a new transaction** with:
- - **To address**: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5 (Workflow Registry contract)
- - **Value**: 0 (no ETH transfer)
- - **Data**: Paste the transaction data from the CLI output (add 0x prefix if required by your multi-sig interface)
-4. **Submit and collect signatures** from the required number of signers
-5. **Execute the transaction** once you have enough signatures
+Learn more about how to use CRE capabilities with built-in consensus:
-**Note**: If your multi-sig interface requires the RegistryWorkflow contract ABI, you can copy it from Etherscan .
+- **[Capabilities Overview](/cre/capabilities)**: Explore all available capabilities
+- **[API Interactions](/cre/guides/workflow/using-http-client)**: Learn how to use the HTTP capability with built-in consensus
+- **[EVM Chain Interactions](/cre/guides/workflow/using-evm-client/overview)**: Learn how to use the EVM capability with built-in consensus
-### Verifying the multi-sig link
+---
-After the multi-sig transaction is executed onchain, you can verify the link status:
+# AI-Powered Prediction Market
+Source: https://docs.chain.link/cre/demos/prediction-market
+Last Updated: 2025-11-21
-```bash
-cre account list-key
-```
+This demo showcases a complete, end-to-end prediction market application that integrates CRE with external services. Unlike [templates](/cre/templates) that are meant to be copied and customized, this demo is designed to be explored and studied to understand what's possible with CRE.
-Initially, you'll see the address with a `VERIFICATION_STATUS_PENDING` status:
-```bash
-Workflow owners retrieved successfully:
+
+ This page includes educational examples to use a Chainlink system, product, or service and is provided to
+ demonstrate how to interact with Chainlink's systems, products, and services to integrate them into your own. This
+ template is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, it has not been audited, and it may be
+ missing key checks or error handling to make the usage of the system, product or service more clear. Do not use the
+ code in this example in a production environment without completing your own audits and application of best practices.
+ Neither Chainlink Labs, the Chainlink Foundation, nor Chainlink node operators are responsible for unintended outputs
+ that are generated due to errors in code.
+
-Linked Owners:
+## GitHub Repository
- 1. SafeWallet
- Owner Address:
- Status: VERIFICATION_STATUS_PENDING
- Verified At:
- Chain Selector: 5009297550715157269 # Chain selector for Ethereum Mainnet
- Contract Address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5 # Workflow Registry contract address
-```
+The [repository](https://github.com/smartcontractkit/cre-gcp-prediction-market-demo) contains complete setup instructions, including quick start guides and full end-to-end deployment steps.
-Once the transaction is confirmed onchain, the status will change to `VERIFICATION_STATUS_SUCCESSFULL` and the `Verified At` timestamp will be populated.
+## What this demo does
+This demo showcases a fully automated prediction market where:
-
- Once your multi-sig address is linked, you'll also need to use the `--unsigned` flag for workflow deployment and management commands (`deploy`, `activate`, `pause`, `delete`). See the [Deploying Workflows guide](/cre/guides/operations/deploying-workflows) for more details on using multi-sig wallets with workflow operations.
-
+1. **Users create markets** by asking binary (Yes/No) questions onchain
+2. **Users stake ERC-20 tokens** (USDC) to make predictions
+3. **After the market closes**, anyone can request settlement
+4. **CRE automatically triggers** when it detects the settlement request event
+5. **Gemini AI determines the outcome** using Google search grounding for factual verification
+6. **CRE submits a cryptographically signed settlement** report back onchain
+7. **Settlement data is stored in Firestore** for audit trails and frontend display
+8. **Winners claim their proportional share** of the total pool
-## Learn more
+## Key integrations
-- **[Understanding Organizations](/cre/organization/understanding-organizations)** - Learn about organization structure and shared resources
-- **[Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets)** - Advanced guide for multi-sig wallet workflows
-- **[Account Management CLI Reference](/cre/reference/cli/account)** - Complete reference for `cre account` commands
-- **[Deploying Workflows](/cre/guides/operations/deploying-workflows)** - Deploy your first workflow after linking a key
+This demo demonstrates several important CRE integration patterns:
----
+### Event-driven workflows
-# Inviting Team Members
-Source: https://docs.chain.link/cre/organization/inviting-members
-Last Updated: 2025-11-04
+The CRE workflow listens for `SettlementRequested` events onchain using CRE's [EVM log trigger capability](/cre/guides/workflow/using-triggers/evm-log-trigger). When a settlement is requested, the workflow automatically triggers and begins the settlement process.
-To collaborate with your team on CRE workflows, you can invite members to your organization. This guide walks you through the invitation process.
+### External AI service integration
-
- The first person to create an account for your organization automatically becomes the **Owner**. Only the Owner can
- invite new members to the organization.
-
+The workflow sends the market question to Google's Gemini AI with search grounding enabled. Gemini searches the web to determine the factual outcome and returns a result with a confidence score.
-## Prerequisites
+### Data persistence
-- You must be logged in to app.chain.link/cre/discover
-- You must be the Owner of your organization
-- The email addresses you're inviting must belong to whitelisted domains
+Settlement results, including the AI's response and confidence level, are stored in [Firebase Firestore](https://firebase.google.com/docs/firestore). This creates a trail and enables the frontend to display settlement history.
-## Step 1: Navigate to Organization settings
+### Cryptographic signing
-In the left sidebar, click on **"Organization"**.
+The workflow generates cryptographically signed settlement reports that the smart contract can verify. This ensures only authorized, consensus-approved data reaches the contract.
-## Step 2: Go to the Members tab
+### Full-stack architecture
-Click on the **"Members"** tab to view your organization's members.
+The demo includes:
-## Step 3: Start the invitation process
+- **Smart contracts** (Solidity + Foundry): `SimpleMarket.sol` for managing prediction markets
+- **CRE workflow** (TypeScript): Event-driven settlement logic with AI integration
+- **Database** (Firebase/Firestore): Audit trail and data persistence
+- **Frontend** (Next.js): User interface for viewing settlement history
-Click the **"Invite"** button in the top right corner.
+## What you'll learn
-## Step 4: Add team member details
+Exploring this demo will teach you:
-Enter the **name** and **email address** of the person you want to invite.
+1. **Event-driven workflow patterns**: How to use CRE's log trigger to react to onchain events in real-time
+2. **External service integration**: Best practices for integrating AI services like Gemini with your workflows
+3. **Error handling and validation**: How to validate external API responses before using them onchain
+4. **Data persistence patterns**: Techniques for storing workflow results in external databases
+5. **Full-stack dApp architecture**: How CRE fits into a complete application with smart contracts, workflows, and frontends
+6. **Cryptographic signing**: How CRE generates and submits cryptographically signed reports
-### Inviting multiple members at once
+## Getting started
-To invite more than one person:
+The repository includes two quick start options:
-1. Click the **"Add person"** button (visible in the screenshot above)
-2. Enter the name and email for each additional person
-3. Repeat as needed
+### Option 1: Test CRE Workflow Only (Fastest)
-## Step 5: Send invitations
+Test the workflow using a pre-deployed contract and transaction. This lets you see the workflow in action without deploying anything yourself.
-Once you've added all the people you want to invite, click the **"Submit"** button in the bottom right corner.
+### Option 2: Full End-to-End Test
-The invited members will receive an email invitation to join your organization.
+Deploy your own contracts, create markets, request settlements, and run the workflow end-to-end. This gives you complete hands-on experience with all components.
-## What happens next?
+See the [repository README](https://github.com/smartcontractkit/cre-gcp-prediction-market-demo) for detailed prerequisites and setup instructions.
-After you send invitations:
+## Next steps
-1. **Email notification**: Each invited person receives an email with instructions to join your organization
-2. **Account creation**: If they don't have a CRE account yet, they'll be invited to create one
-3. **Automatic membership**: Once they complete account creation, they'll automatically become members of your organization—no additional acceptance step required
-4. **Access**: They'll immediately have access to your organization's workflows and resources
+- **[Explore the repository](https://github.com/smartcontractkit/cre-gcp-prediction-market-demo)** - Clone the demo and follow the setup instructions
+- **[Learn about log triggers](/cre/guides/workflow/using-triggers/evm-log-trigger)** - Understand how to build event-driven workflows
+- **[Explore HTTP capabilities](/cre/guides/workflow/using-http-client)** - Learn more about integrating external APIs
+- **[Browse templates](/cre/templates)** - Check out workflow templates you can copy and customize
-
- The email addresses you invite must belong to domains that are whitelisted for CRE access. If an invited member's
- domain is not whitelisted, they won't be able to complete the account creation process.
-
+---
-## Related guides
+# CLI Reference
+Source: https://docs.chain.link/cre/reference/cli
+Last Updated: 2026-05-08
-- [Understanding Organizations](/cre/organization/understanding-organizations) - Learn about organization roles and permissions
-- [Linking Wallet Keys](/cre/organization/linking-keys) - Help new members connect their wallets
+export const CRE_CLI_VERSION = VERSIONS["cre-cli"].LATEST
----
+
+ To ensure compatibility with the guides and examples in this documentation, please use version{" "}
+ {CRE_CLI_VERSION} of the CRE CLI. You can check your installed version by running `cre version`. Refer to
+ the [CLI Installation](/cre/getting-started/cli-installation/macos-linux) guide for more information.
+
-# Capabilities Overview
-Source: https://docs.chain.link/cre/capabilities
-Last Updated: 2025-11-04
+The CRE Command Line Interface (CLI) is your primary tool for developing, testing, deploying, and managing workflows. It handles project setup, contract binding generation (Go workflows only), local simulation, and workflow lifecycle management.
-At the core of the Chainlink Runtime Environment (CRE) is the concept of **Capabilities**. A capability is a modular, decentralized service that performs a specific task. Think of them as the individual "bricks" that you can use to build custom workflows.
+## Global flags
-Each capability is powered by its own independent Decentralized Oracle Network (DON), which is optimized for that specific task, ensuring security and reliable performance.
+These flags can be used with any `cre` command.
-## Invoking Capabilities via the SDK
+| Flag | Description |
+| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `-h, --help` | Displays help information for any command |
+| `-e, --env` | Specifies the path to your `.env` file (default: `".env"`) |
+| `-E, --public-env` | Specifies the path to your `.env.public` file, which contains shared, non-sensitive build configuration |
+| `-T, --target` | Sets the target environment from your configuration files |
+| `-R, --project-root` | Specifies the path to the project root directory. By default, the CLI automatically finds the project root by searching for `project.yaml` in the current directory and parent directories |
+| `-v, --verbose` | Enables verbose logging to print `DEBUG` level logs |
+| `--non-interactive` | Fails instead of prompting; provide all required inputs with flags or environment variables. Use this for CI/CD, scripts, and other headless environments |
-As a developer, you do not interact with these capability DONs directly. Instead, you invoke them through the developer-friendly interfaces provided by the **CRE SDKs** ([Go](/cre/reference/sdk/core-go) and [TypeScript](/cre/reference/sdk/core-ts)), such as the [`evm.Client`](/cre/reference/sdk/evm-client) or the [`http.Client`](/cre/reference/sdk/http-client). The SDK handles the low-level complexity of communicating with the correct DON and processing the consensus-verified result, allowing you to focus on your business logic.
-## Available Capabilities
+
+ `cre login` requires a browser and is not available in non-interactive mode. For CI/CD and other headless environments, set `CRE_API_KEY` instead. See [API key authentication](/cre/reference/cli/authentication#api-key-authentication).
+
-This section provides a high-level, conceptual overview of the capabilities currently available in CRE.
+## Commands overview
-- **[Triggers](/cre/capabilities/triggers)**: Event sources that start your workflow executions.
-- **[HTTP](/cre/capabilities/http)**: Fetch and post data from external APIs with decentralized consensus.
-- **[Confidential HTTP](/cre/capabilities/confidential-http)**: Make privacy-preserving API calls with enclave execution, secret injection, and optional response encryption.
-- **[EVM Read & Write](/cre/capabilities/evm-read-write)**: Interact with smart contracts on EVM-compatible blockchains with decentralized consensus.
+### Authentication
-All execution capabilities (HTTP, Confidential HTTP, EVM) automatically use [built-in consensus](/cre/concepts/consensus-computing) to validate results across multiple nodes, ensuring security and reliability.
+Manage your authentication and account credentials.
----
+- **`cre login`** — Authenticate with the CRE UI, save credentials locally, and cache tenant context (`context.yaml`)
+- **`cre logout`** — Revoke authentication tokens and remove local credentials and cached tenant context
+- **`cre whoami`** — Show your current account details
-# The Trigger Capability
-Source: https://docs.chain.link/cre/capabilities/triggers
-Last Updated: 2025-11-04
+[View authentication commands →](/cre/reference/cli/authentication)
-**Triggers** are a special type of capability that initiate the execution of your workflow. They are event-driven services that constantly watch for a specific condition to be met. When the condition occurs, the trigger fires and instructs CRE to run the callback function you have registered for that event. Learn more about the [trigger-and-callback model](/cre/#the-trigger-and-callback-model).
+***
-## Trigger types
+### Project Setup
-CRE provides several types of triggers to start your workflows:
+Initialize projects and generate contract bindings (Go only).
-- **Time-based:** The `Cron` trigger fires at a specific time or on a recurring schedule (e.g., "every 5 minutes").
-- **Request-based:** The `HTTP` trigger fires when an external system makes an HTTP request to your workflow's endpoint. HTTP triggers require authorization keys when deployed to ensure only authorized addresses can trigger your workflow.
-- **Onchain Events:** The `EVM Log` trigger fires when a specific event is emitted by a smart contract on a supported blockchain.
+- [**`cre init`**](/cre/reference/cli/project-setup) — Initialize a new CRE project (interactive wizard or **`--non-interactive`** with flags for CI/CD)
+- **`cre generate-bindings`** (Go only) — Generate Go bindings from contract ABI files for type-safe contract interactions
-
- **In simulation** (`cre workflow simulate`), triggers are manually selected and executed immediately to test your workflow logic without waiting for real events. This allows rapid iteration during development.
+[View project setup commands →](/cre/reference/cli/project-setup)
- **In deployed workflows**, the Workflow DON continuously monitors for trigger events and automatically executes your callback when conditions are met. Time-based triggers run on schedule, HTTP triggers respond to incoming requests, and EVM log triggers fire when smart contract events occur.
+***
- See the [Simulating Workflows guide](/cre/guides/operations/simulating-workflows) for details on testing triggers locally.
-
+### Account Management
-## Learn more
+Manage your linked public key addresses and deployment access.
-- **[Using Triggers Guides](/cre/guides/workflow/using-triggers/overview)**: Learn how to use the SDK to register handlers for the different trigger types.
-- **[Triggers SDK Reference](/cre/reference/sdk/triggers/overview)**: See the detailed API reference for trigger configurations and payloads.
+- **`cre account access`** — Check deployment access status or submit an Early Access request
+- **`cre account link-key`** — Link a public key address to your account
+- **`cre account list-key`** — List workflow owners linked to your organization
+- **`cre account unlink-key`** — Unlink a public key address from your account
----
+[View account management commands →](/cre/reference/cli/account)
-# The HTTP Capability
-Source: https://docs.chain.link/cre/capabilities/http
-Last Updated: 2026-03-17
+***
-The **HTTP** capability is a decentralized service that allows your workflow to securely interact with any external, offchain API. It can be used to both **fetch data from** and **send data to** other systems.
+### Workflow Commands
-## Why use a Capability for HTTP Requests?
+Manage workflows throughout their entire lifecycle.
-When your workflow needs to interact with an external API, the HTTP capability provides decentralized execution across multiple independent nodes.
+- **`cre workflow build`** — Compile a workflow to a WASM binary (without uploading or deploying)
+- **`cre workflow simulate`** — Compile and execute workflows in a local simulation environment
+- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the onchain workflow ID)
+- **`cre workflow deploy`** — Deploy a workflow to the Workflow Registry contract
+- **`cre workflow activate`** — Activate a workflow on the Workflow Registry contract
+- **`cre workflow pause`** — Pause a workflow on the Workflow Registry contract
+- **`cre workflow delete`** — Delete all versions of a workflow from the Workflow Registry
+- **`cre workflow list`** — List workflows deployed for your organization; use `--output json` for scripts
+- **`cre workflow get`** — Show metadata for the workflow configured in `workflow.yaml`
+- **`cre workflow supported-chains`** — List chain names the CLI supports for local simulation; use `--output json` for scripts
+- **`cre workflow custom-build`** — Convert a workflow to use a custom self-compiled WASM build
-When you use the SDK's `http.Client` to make a request (like a `GET` or a `POST`), you are invoking this capability. CRE instructs each node in a dedicated DON to make the same API request. The nodes' individual responses are then **validated through a consensus protocol**, which ensures they agree on the result before returning it to your workflow.
+[View workflow commands →](/cre/reference/cli/workflow)
-This provides cryptographically verified, tamper-proof execution for your offchain data operations.
+***
-
- **In local simulation** (`cre workflow simulate`), HTTP requests are made from your local machine to test your API integrations. The simulator processes responses using single-node consensus.
+### Secrets Management
- **In deployed workflows**, the HTTP capability DON executes your API requests across multiple nodes, and responses are validated through Byzantine Fault Tolerant (BFT) consensus before being returned to your workflow.
-
+Manage secrets stored in the Vault DON for use in your workflows.
-## Features
+- **`cre secrets create`** — Create new secrets from a YAML file
+- **`cre secrets update`** — Update existing secrets
+- **`cre secrets delete`** — Delete secrets
+- **`cre secrets list`** — List secret identifiers in a namespace
-- **Multiple headers per request**: Use the `MultiHeaders` field to send multiple headers in a single HTTP request. This is useful for APIs that require multiple authentication or content negotiation headers simultaneously.
+[View secrets management commands →](/cre/reference/cli/secrets)
-## Learn more
+***
-- **[API Interactions Guide](/cre/guides/workflow/using-http-client)**: Learn how to use the SDK to invoke the HTTP capability.
-- **[HTTP Client SDK Reference](/cre/reference/sdk/http-client)**: See the detailed API reference for the `http.Client`.
+### Registry Commands
----
+Inspect the workflow registries available to your organization. A workflow registry is the system that tracks which workflows are registered to your organization and makes them available to the Chainlink DON for execution.
-# The EVM Read & Write Capabilities
-Source: https://docs.chain.link/cre/capabilities/evm-read-write
-Last Updated: 2025-11-04
+- **`cre registry list`** — Display the registries configured for your organization, including type and on-chain address
-The **EVM Read & Write** capabilities provide a secure and reliable service for your workflow to interact with smart contracts on any EVM-compatible blockchain.
+[View registry commands →](/cre/reference/cli/registry)
-- **EVM Read:** Allows your workflow to call `view` and `pure` functions on a smart contract to read its state.
-- **EVM Write:** Allows your workflow to call state-changing functions on a smart contract to write data to the blockchain.
+***
-## How it works
+### Template Sources
-When you use the SDK's [`evm.Client`](/cre/reference/sdk/evm-client) to interact with a contract, you are invoking these underlying capabilities. This provides a simpler and more reliable developer experience compared to crafting raw RPC calls.
+Manage the GitHub repositories that `cre init` uses to discover templates.
-The SDKs simplify contract interactions with type-safe ABI handling (Go uses generated bindings, TypeScript uses viem), while the underlying CRE infrastructure manages consensus and transaction submission.
+- **`cre templates list`** — List templates (human output includes required networks; **`--json`** for scripts)
+- **`cre templates add`** — Add a custom or third-party template repository
+- **`cre templates remove`** — Remove a template repository source
-### Key features
+[View template source commands →](/cre/reference/cli/templates)
-- **Type-safe interactions**: SDKs provide type safety for contract calls (Go bindings offer compile-time safety, TypeScript uses viem for runtime type checking)
-- **Decentralized execution**: Read and write operations are executed across multiple nodes in a DON with cryptographic verification
-- **Decentralized consensus**: Multiple DON nodes independently verify read results and validate write operations before onchain submission
-- **Chain selector support**: Target specific blockchains using Chainlink's chain selector system
-- **Block number flexibility**: Read from finalized, latest, or a specific block number
-- **Error handling**: Comprehensive error reporting for failed calls and transactions
+***
-
- **In local simulation**, the simulator makes real RPC calls to your configured endpoint.
+### Utilities
- **In deployed workflows**, the EVM capability DON executes contract calls across multiple nodes with decentralized consensus.
-
+Additional utility commands.
-### Understanding EVM Write operations
+- **`cre update`** — Update the CRE CLI to the latest version
+- **`cre version`** — Print the current version of the CRE CLI
-For **EVM Write** operations, your workflow doesn't write directly to your contract. Instead, the data follows a secure multi-step flow:
+[View utility commands →](/cre/reference/cli/utilities)
-1. **Your workflow** generates a cryptographically signed report with your ABI-encoded data
-2. **The EVM Write capability** submits this report to a Chainlink-managed `KeystoneForwarder` contract
-3. **The forwarder** validates the report's cryptographic signatures
-4. **The forwarder** calls your consumer contract's `onReport(bytes metadata, bytes report)` function to deliver the data
+## Typical development workflow
-This architecture ensures decentralized consensus, cryptographic verification, and accountability. Your consumer contract must implement the `IReceiver` interface to receive data from the forwarder.
+The typical workflow development process uses these commands in sequence:
-Learn more in the [Onchain Write guide](/cre/guides/workflow/using-evm-client/onchain-write/overview-ts).
+1. **`cre init`** — Initialize your project
+2. **`cre generate-bindings`** — Generate contract bindings from ABIs (Go workflows only, if interacting with contracts)
+3. **`cre workflow simulate`** — Test your workflow locally
+4. **`cre workflow build`** — (Optional) Compile independently; useful in CI/CD pipelines
+5. **`cre workflow hash`** — (Optional) Inspect content hashes before deploying
+6. **`cre workflow deploy`** — Deploy your workflow to the registry
+7. **`cre workflow activate`** / **`cre workflow pause`** — Control workflow execution
+8. **`cre workflow list`** / **`cre workflow get`** — Inspect deployed workflow metadata
## Learn more
-- **[EVM Chain Interactions Guide](/cre/guides/workflow/using-evm-client/overview)**: Learn how to read from and write to smart contracts
-- **[EVM Client SDK Reference](/cre/reference/sdk/evm-client)**: Detailed API reference for the `evm.Client`
+- **[CLI Installation](/cre/getting-started/cli-installation)** — How to install and set up the CRE CLI
+- **[Getting Started](/cre/getting-started)** — Step-by-step tutorials using the CLI
+- **[Project Configuration](/cre/reference/project-configuration)** — Understanding project structure and configuration files
---
-# Consensus Computing in CRE
-Source: https://docs.chain.link/cre/concepts/consensus-computing
-Last Updated: 2025-11-04
-
-**Consensus computing** is the foundational computing paradigm that makes CRE secure and reliable. It ensures that every operation your workflow performs—whether fetching data from an API or reading from a blockchain—is verified by multiple independent nodes before producing a final result.
-
-## What is consensus computing?
-
-Consensus computing is when a decentralized network of nodes must form consensus as part of executing code and storing information. Unlike traditional computing where you trust a single server or service, consensus computing provides unique guarantees:
+# Authentication Commands
+Source: https://docs.chain.link/cre/reference/cli/authentication
+Last Updated: 2026-05-08
-- **Tamper-resistance**: No single node can manipulate results
-- **High availability**: The network continues operating even if individual nodes fail
-- **Trust minimization**: You don't need to trust any single entity
-- **Verifiability**: All results are cryptographically verified
+The CRE CLI supports two authentication methods:
-Blockchains pioneered consensus computing for maintaining asset ledgers and executing smart contracts. CRE extends this paradigm to **any offchain operation**—API calls, computations, and more.
+- **Browser-based login** (`cre login`) — Interactive login for local development
+- **API key** (`CRE_API_KEY` environment variable) — Non-interactive authentication for CI/CD pipelines and headless environments
-## How CRE uses consensus
+## Browser-based authentication
-In CRE, **every execution capability automatically includes decentralized consensus**. Here's how it works:
+### `cre login`
-1. **Independent execution**: When your workflow invokes a capability (like `http.Client` or `evm.Client`), each node in the dedicated capability DON performs the operation independently
-2. **Result collection**: Each node produces its own result based on what it observed
-3. **Consensus protocol**: The DON applies a Byzantine Fault Tolerant (BFT) consensus protocol to validate and aggregate the individual results
-4. **Verified output**: A single, consensus-verified result is returned to your workflow
+Starts the interactive authentication flow. This command opens your browser for user login, saves your credentials locally to `~/.cre/cre.yaml`, and **fetches your tenant context** from the CRE platform. That response is cached per CRE environment (for example `PRODUCTION`) in **`~/.cre/context.yaml`** — a registry manifest that includes items such as your vault gateway URL, workflow registries, and which secrets authentication flows each registry supports. See [Tenant context cache](#tenant-context-cache) below.
-This process happens automatically for every capability call. You don't need to write any special code—consensus is built into the CRE runtime environment.
+`cre login` requires a browser and is not available in `--non-interactive` mode. For CI/CD pipelines and other headless environments, use `CRE_API_KEY` instead.
-## Why this matters for your workflows
+**Usage:**
-### Protection against node failures and manipulation
+```bash
+cre login
+```
-CRE's consensus model protects against individual node failures and malicious behavior. When multiple independent nodes execute the same operation:
+**Authentication steps:**
-- **Node-level resilience**: If some nodes fail or go offline, the network continues operating
-- **Byzantine Fault Tolerance**: Even if some nodes are compromised and return incorrect results, the honest majority ensures the correct outcome
-- **Execution consistency**: All nodes must execute your workflow logic identically, preventing manipulation by individual operators
+1. The CLI opens your default web browser to the login page
+2. Enter your account email address
+3. Enter your account password
+4. Enter your one-time password (OTP) from your authenticator app
+5. The CLI automatically captures and saves your credentials locally, then fetches and caches tenant context (you may see **“Fetching user context…”** in the terminal)
-### Validated and verified results
+For a detailed walkthrough with screenshots, see [Logging in with the CLI](/cre/account/cli-login).
-Every result your workflow receives has been cryptographically verified and validated across multiple nodes. This provides strong guarantees that:
+### `cre logout`
-- The operation was executed correctly
-- The result matches what independent observers agreed upon
-- No single node operator can manipulate your workflow's execution or outputs
+Revokes authentication tokens and removes **local credentials** (`~/.cre/cre.yaml`) **and the cached tenant context file** (`~/.cre/context.yaml`). This invalidates the current session tokens and clears the CLI-side copy of your tenant registry manifest.
-### Unified security model
+**Usage:**
-With CRE, your **entire institutional-grade smart contract**—not just the onchain parts—benefits from consensus computing. This means:
+```bash
+cre logout
+```
-- **API responses** are validated across multiple nodes before your workflow uses them
-- **Blockchain reads** are verified by multiple nodes
-- **Blockchain writes** are validated by multiple nodes before being submitted onchain
-- **Computation results** within your workflow are executed consistently across all nodes
+### `cre whoami`
-Your workflow inherits the same security and reliability guarantees as blockchain transactions, but for any offchain operation.
+Shows your current account details. This command fetches and displays your account information, including your email and organization ID. This works with both browser-based login and API key authentication.
-## Consensus in practice
+**Usage:**
-### HTTP capability
+```bash
+cre whoami
+```
-When your workflow makes an API request using `http.Client`, the HTTP capability DON executes your request across multiple nodes. Their responses are validated through a consensus protocol before returning a result to your workflow.
-This ensures:
+
+ Use `cre whoami` to verify you're authenticated and check which account is currently active. This is useful before deploying workflows or performing other authenticated operations.
+
-- Execution consistency across all nodes
-- Protection against individual node compromise or failure
-- Detection of inconsistent API responses (e.g., due to load balancing or timing)
+## API key authentication
-See the [HTTP Capability](/cre/capabilities/http) page for details.
-### EVM Read & Write capability
+
+ API key authentication requires your account to have Early Access approval for deployment. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+
-When your workflow reads from or writes to a blockchain using `evm.Client`, the EVM capability DON performs the operation across multiple nodes:
+For CI/CD pipelines, automated scripts, or any environment where a browser is not available, you can authenticate using an API key. When the `CRE_API_KEY` environment variable is set, the CLI uses it automatically — no `cre login` required.
-- **For reads**: Multiple nodes independently query the blockchain, and consensus validates their responses match
-- **For writes**: Multiple nodes agree on the transaction data before submitting it onchain
+### Creating an API key
-This ensures:
+1. Log in to the CRE platform
+2. Navigate to the **Organization** page
+3. Select the **APIs** tab
+4. Click **+ Organization API**
+5. Give your key a name and confirm
-- Execution consistency across all nodes
-- Protection against individual node compromise or failure
-- Validated blockchain data before use in your workflow
-See the [EVM Read & Write Capability](/cre/capabilities/evm-read-write) page for details.
+
+ Treat your API key like a password. Do not commit it to version control or share it in plain text. Use your CI/CD platform's secret management to store it securely.
+
-## Consensus in simulation vs. deployed workflows
+### Using the API key
-
- **In local simulation** (`cre workflow simulate`), consensus uses a single-node model to test your workflow's logic quickly. The "consensus" step still occurs, but involves a single node wrapping its result in a standardized report structure. This allows you to build and test against the final SDK interfaces without the overhead of multi-node consensus.
+Set the `CRE_API_KEY` environment variable before running CLI commands:
- **In deployed workflows**, true multi-node Byzantine Fault Tolerant (BFT) consensus is performed across all capability DON operations, providing full decentralized security guarantees.
-
+```bash
+export CRE_API_KEY="your-api-key"
+cre whoami
+```
-## Learn more
+When `CRE_API_KEY` is set, the CLI skips the browser-based login flow entirely. All commands that require authentication (deploying, managing workflows, etc.) will use the API key. The CLI still **ensures tenant context** is available (fetching or refreshing `~/.cre/context.yaml` as needed) so your session matches the platform configuration for that key.
-Learn more about how to use CRE capabilities with built-in consensus:
+In a CI/CD pipeline, configure `CRE_API_KEY` as a secret environment variable in your platform and pass [`--non-interactive`](/cre/reference/cli#global-flags) to fail immediately if a command would otherwise prompt for input.
-- **[Capabilities Overview](/cre/capabilities)**: Explore all available capabilities
-- **[API Interactions](/cre/guides/workflow/using-http-client)**: Learn how to use the HTTP capability with built-in consensus
-- **[EVM Chain Interactions](/cre/guides/workflow/using-evm-client/overview)**: Learn how to use the EVM capability with built-in consensus
+## Tenant context cache
----
+After a successful browser login — and when using an API key for commands that load credentials — the CLI stores **tenant context** at **`~/.cre/context.yaml`**. This file comes from the platform’s **`getTenantConfig`** data: a **registry manifest** for your organization so the CLI knows your CRE environment layout (for example vault gateway URL, registries, and allowed secrets auth flows per registry). Values are grouped under your CRE environment name (such as `PRODUCTION`).
-# AI-Powered Prediction Market
-Source: https://docs.chain.link/cre/demos/prediction-market
-Last Updated: 2025-11-21
-This demo showcases a complete, end-to-end prediction market application that integrates CRE with external services. Unlike [templates](/cre/templates) that are meant to be copied and customized, this demo is designed to be explored and studied to understand what's possible with CRE.
+
+ **`cre.yaml`** holds authentication tokens for your session. **`context.yaml`** holds **tenant configuration** returned by the platform, not secrets. **`cre logout`** removes both files from your machine.
+
+The following example is **illustrative** only; your registries, addresses, and flow lists depend on your organization and environment.
-
- This page includes educational examples to use a Chainlink system, product, or service and is provided to
- demonstrate how to interact with Chainlink's systems, products, and services to integrate them into your own. This
- template is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, it has not been audited, and it may be
- missing key checks or error handling to make the usage of the system, product or service more clear. Do not use the
- code in this example in a production environment without completing your own audits and application of best practices.
- Neither Chainlink Labs, the Chainlink Foundation, nor Chainlink node operators are responsible for unintended outputs
- that are generated due to errors in code.
-
-
-## GitHub Repository
-
-The [repository](https://github.com/smartcontractkit/cre-gcp-prediction-market-demo) contains complete setup instructions, including quick start guides and full end-to-end deployment steps.
+```yaml
+PRODUCTION:
+ tenant_id: ""
+ default_don_family: zone-a
+ vault_gateway_url: https://01.gateway.zone-a.cre.chain.link
+ registries:
+ - id: onchain:ethereum-mainnet
+ label: ethereum-mainnet (0x1234...abcd)
+ type: on-chain
+ chain_selector: ""
+ address: "0x0000000000000000000000000000000000000000"
+ secrets_auth_flows:
+ - browser
+ - owner-key-signing
+ - id: private
+ label: Private (Chainlink-hosted)
+ type: off-chain
+ secrets_auth_flows:
+ - browser
+```
-## What this demo does
+## Authentication methods summary
-This demo showcases a fully automated prediction market where:
+| Method | Best for | How it works |
+| ------------- | ------------------------------------- | ---------------------------------------------------- |
+| `cre login` | Local development | Opens a browser for interactive login with 2FA |
+| `CRE_API_KEY` | CI/CD, scripts, headless environments | Set the environment variable — no browser needed(\*) |
-1. **Users create markets** by asking binary (Yes/No) questions onchain
-2. **Users stake ERC-20 tokens** (USDC) to make predictions
-3. **After the market closes**, anyone can request settlement
-4. **CRE automatically triggers** when it detects the settlement request event
-5. **Gemini AI determines the outcome** using Google search grounding for factual verification
-6. **CRE submits a cryptographically signed settlement** report back onchain
-7. **Settlement data is stored in Firestore** for audit trails and frontend display
-8. **Winners claim their proportional share** of the total pool
+(\*) API key authentication requires your account to have Early Access approval. See [Requesting Deploy Access](/cre/account/deploy-access).
-## Key integrations
+## Learn more
-This demo demonstrates several important CRE integration patterns:
+- [Logging in with the CLI](/cre/account/cli-login) — Step-by-step browser login guide with screenshots
+- [Managing Authentication](/cre/account/managing-auth) — Session management, expiration, and logout
+- [Account Management](/cre/reference/cli/account) — Link keys after authentication
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Requires authentication
-### Event-driven workflows
+---
-The CRE workflow listens for `SettlementRequested` events onchain using CRE's [EVM log trigger capability](/cre/guides/workflow/using-triggers/evm-log-trigger). When a settlement is requested, the workflow automatically triggers and begins the settlement process.
+# Account Management
+Source: https://docs.chain.link/cre/reference/cli/account
+Last Updated: 2026-02-26
-### External AI service integration
+The `cre account` commands manage linked public key addresses for public onchain registry workflows. Private registry workflows do not require linked keys; they use your CRE login session for workflow management.
-The workflow sends the market question to Google's Gemini AI with search grounding enabled. Gemini searches the web to determine the factual outcome and returns a result with a confidence score.
-### Data persistence
+
+ All `cre` commands support [global flags](/cre/reference/cli#global-flags) like `--env`, `--target`, `--project-root`, and `--verbose`.
+
-Settlement results, including the AI's response and confidence level, are stored in [Firebase Firestore](https://firebase.google.com/docs/firestore). This creates a trail and enables the frontend to display settlement history.
+## `cre account access`
-### Cryptographic signing
+
+ Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
+ logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
+ in with the CLI](/cre/account/cli-login) for further details.
+
-The workflow generates cryptographically signed settlement reports that the smart contract can verify. This ensures only authorized, consensus-approved data reaches the contract.
+Checks your organization's deployment access status and lets you submit a request for Early Access directly from the CLI.
-### Full-stack architecture
+For a full walkthrough including the interactive flow and web UI option, see [Requesting Deploy Access](/cre/account/deploy-access).
-The demo includes:
+**Usage:**
-- **Smart contracts** (Solidity + Foundry): `SimpleMarket.sol` for managing prediction markets
-- **CRE workflow** (TypeScript): Event-driven settlement logic with AI integration
-- **Database** (Firebase/Firestore): Audit trail and data persistence
-- **Frontend** (Next.js): User interface for viewing settlement history
+```bash
+cre account access
+```
-## What you'll learn
+**Interactive flow:**
-Exploring this demo will teach you:
+When you run this command, the CLI will:
-1. **Event-driven workflow patterns**: How to use CRE's log trigger to react to onchain events in real-time
-2. **External service integration**: Best practices for integrating AI services like Gemini with your workflows
-3. **Error handling and validation**: How to validate external API responses before using them onchain
-4. **Data persistence patterns**: Techniques for storing workflow results in external databases
-5. **Full-stack dApp architecture**: How CRE fits into a complete application with smart contracts, workflows, and frontends
-6. **Cryptographic signing**: How CRE generates and submits cryptographically signed reports
+1. Check whether your organization has deployment access enabled
+2. If not, prompt you to submit a request
+3. Ask you to briefly describe your use case
+4. Confirm the request was submitted — the Chainlink team will follow up via email
-## Getting started
+**Example output (access not yet enabled):**
-The repository includes two quick start options:
+```
+! Deployment access is not yet enabled for your organization.
-### Option 1: Test CRE Workflow Only (Fastest)
+ Request deployment access? Yes
-Test the workflow using a pre-deployed contract and transaction. This lets you see the workflow in action without deploying anything yourself.
+ Briefly describe your use case
+ What are you building with CRE?
+ > I'm working on a prediction market and I need to deploy my workflow! (or whatever you're building)
-### Option 2: Full End-to-End Test
+✓ Access request submitted successfully!
-Deploy your own contracts, create markets, request settlements, and run the workflow end-to-end. This gives you complete hands-on experience with all components.
+Our team will review your request and get back to you via email shortly.
+```
-See the [repository README](https://github.com/smartcontractkit/cre-gcp-prediction-market-demo) for detailed prerequisites and setup instructions.
+***
-## Next steps
+## `cre account link-key`
-- **[Explore the repository](https://github.com/smartcontractkit/cre-gcp-prediction-market-demo)** - Clone the demo and follow the setup instructions
-- **[Learn about log triggers](/cre/guides/workflow/using-triggers/evm-log-trigger)** - Understand how to build event-driven workflows
-- **[Explore HTTP capabilities](/cre/guides/workflow/using-http-client)** - Learn more about integrating external APIs
-- **[Browse templates](/cre/templates)** - Check out workflow templates you can copy and customize
+
+ Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
+ logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
+ in with the CLI](/cre/account/cli-login) for further details.
+
----
+Links a public key address to your account for public onchain registry workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
-# CLI Reference
-Source: https://docs.chain.link/cre/reference/cli
-Last Updated: 2026-05-08
+For a complete step-by-step guide with examples, see [Linking Wallet Keys](/cre/organization/linking-keys).
-export const CRE_CLI_VERSION = VERSIONS["cre-cli"].LATEST
-
- To ensure compatibility with the guides and examples in this documentation, please use version{" "}
- {CRE_CLI_VERSION} of the CRE CLI. You can check your installed version by running `cre version`. Refer to
- the [CLI Installation](/cre/getting-started/cli-installation/macos-linux) guide for more information.
+
+ - **Must run from a project directory** with a `project.yaml` file
+ - **`.env` must contain `CRE_ETH_PRIVATE_KEY`** — Your wallet's private key
+ - **Wallet must be funded** with ETH on Ethereum Mainnet to pay gas fees
+ - **RPC endpoint configured** — Add an `ethereum-mainnet` RPC URL in your `project.yaml` under the `rpcs` section for your target (e.g., `https://ethereum-rpc.publicnode.com` or your preferred provider)
+ - **For multi-sig wallets**: Also specify `workflow-owner-address` in your `project.yaml` under the `account` section. See [Linking Wallet Keys](/cre/organization/linking-keys#using-multi-sig-wallets) for details.
-The CRE Command Line Interface (CLI) is your primary tool for developing, testing, deploying, and managing workflows. It handles project setup, contract binding generation (Go workflows only), local simulation, and workflow lifecycle management.
-## Global flags
+
+ This command always submits a transaction to **Ethereum Mainnet**, regardless of your workflow deployment environment. Ensure your wallet has sufficient ETH for gas fees and your `project.yaml` includes an RPC configuration for `ethereum-mainnet`:
-These flags can be used with any `cre` command.
+ ```yaml
+ rpcs:
+ - chain-name: ethereum-mainnet
+ url: https://ethereum-rpc.publicnode.com # Or your preferred RPC provider
+ ```
+
-| Flag | Description |
-| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `-h, --help` | Displays help information for any command |
-| `-e, --env` | Specifies the path to your `.env` file (default: `".env"`) |
-| `-E, --public-env` | Specifies the path to your `.env.public` file, which contains shared, non-sensitive build configuration |
-| `-T, --target` | Sets the target environment from your configuration files |
-| `-R, --project-root` | Specifies the path to the project root directory. By default, the CLI automatically finds the project root by searching for `project.yaml` in the current directory and parent directories |
-| `-v, --verbose` | Enables verbose logging to print `DEBUG` level logs |
-| `--non-interactive` | Fails instead of prompting; provide all required inputs with flags or environment variables. Use this for CI/CD, scripts, and other headless environments |
+**Usage:**
+```bash
+cre account link-key [flags]
+```
-
- `cre login` requires a browser and is not available in non-interactive mode. For CI/CD and other headless environments, set `CRE_API_KEY` instead. See [API key authentication](/cre/reference/cli/authentication#api-key-authentication).
-
+**Flags:**
-## Commands overview
+| Flag | Description |
+| ------------------- | --------------------------------------------------------------- |
+| `-l, --owner-label` | Label for the workflow owner |
+| `--unsigned` | Return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
-### Authentication
+**Interactive flow:**
-Manage your authentication and account credentials.
+When you run this command, the CLI will:
-- **`cre login`** — Authenticate with the CRE UI, save credentials locally, and cache tenant context (`context.yaml`)
-- **`cre logout`** — Revoke authentication tokens and remove local credentials and cached tenant context
-- **`cre whoami`** — Show your current account details
+1. Extract your public address from the private key in your `.env` file
+2. Prompt you to provide a label for this address (e.g., "Production Wallet")
+3. Check if the address is already linked
+4. Display transaction details (chain, contract, estimated gas cost)
+5. Ask for confirmation to execute the transaction
+6. Submit the transaction and provide a block explorer link
-[View authentication commands →](/cre/reference/cli/authentication)
+**Examples:**
-***
+- Interactive mode (recommended)
-### Project Setup
+ ```bash
+ cre account link-key
+ ```
-Initialize projects and generate contract bindings (Go only).
+- Non-interactive mode with label
-- [**`cre init`**](/cre/reference/cli/project-setup) — Initialize a new CRE project (interactive wizard or **`--non-interactive`** with flags for CI/CD)
-- **`cre generate-bindings`** (Go only) — Generate Go bindings from contract ABI files for type-safe contract interactions
+ ```bash
+ cre account link-key --owner-label "My Production Wallet" --yes
+ ```
-[View project setup commands →](/cre/reference/cli/project-setup)
+## `cre account list-key`
-***
+
+ Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
+ logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
+ in with the CLI](/cre/account/cli-login) for further details.
+
-### Account Management
+Lists all public key addresses linked to your organization. This shows the verification status, chain information, and contract addresses for each linked key.
-Manage your linked public key addresses and deployment access.
+For a complete guide on linking and managing keys, see [Linking Wallet Keys](/cre/organization/linking-keys).
-- **`cre account access`** — Check deployment access status or submit an Early Access request
-- **`cre account link-key`** — Link a public key address to your account
-- **`cre account list-key`** — List workflow owners linked to your organization
-- **`cre account unlink-key`** — Unlink a public key address from your account
+**Usage:**
-[View account management commands →](/cre/reference/cli/account)
+```bash
+cre account list-key
+```
-***
+**Example output:**
-### Workflow Commands
+```bash
+Workflow owners retrieved successfully:
-Manage workflows throughout their entire lifecycle.
+Linked Owners:
-- **`cre workflow build`** — Compile a workflow to a WASM binary (without uploading or deploying)
-- **`cre workflow simulate`** — Compile and execute workflows in a local simulation environment
-- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the onchain workflow ID)
-- **`cre workflow deploy`** — Deploy a workflow to the Workflow Registry contract
-- **`cre workflow activate`** — Activate a workflow on the Workflow Registry contract
-- **`cre workflow pause`** — Pause a workflow on the Workflow Registry contract
-- **`cre workflow delete`** — Delete all versions of a workflow from the Workflow Registry
-- **`cre workflow list`** — List workflows deployed for your organization; use `--output json` for scripts
-- **`cre workflow get`** — Show metadata for the workflow configured in `workflow.yaml`
-- **`cre workflow supported-chains`** — List chain names the CLI supports for local simulation; use `--output json` for scripts
-- **`cre workflow custom-build`** — Convert a workflow to use a custom self-compiled WASM build
+ 1. my-production-wallet
+ Owner Address:
+ Status: VERIFICATION_STATUS_SUCCESSFULL
+ Verified At:
+ Chain Selector:
+ Contract Address:
+```
-[View workflow commands →](/cre/reference/cli/workflow)
+## `cre account unlink-key`
-***
+
+ Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
+ logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
+ in with the CLI](/cre/account/cli-login) for further details.
+
-### Secrets Management
+Unlinks a previously linked public key address from your account. This is a destructive operation that removes the address from the Workflow Registry contract and deletes all workflows registered under that address.
-Manage secrets stored in the Vault DON for use in your workflows.
+For a complete guide on linking and unlinking keys, see [Linking Wallet Keys](/cre/organization/linking-keys).
-- **`cre secrets create`** — Create new secrets from a YAML file
-- **`cre secrets update`** — Update existing secrets
-- **`cre secrets delete`** — Delete secrets
-- **`cre secrets list`** — List secret identifiers in a namespace
-[View secrets management commands →](/cre/reference/cli/secrets)
+
+ **Unlinking will delete all workflows registered under this address.** This action cannot be undone. Make sure you want to permanently remove all workflows associated with this address before proceeding.
+
-***
-### Registry Commands
+
+ - Must run from a project directory with a `project.yaml` file
+ - **`.env` must contain `CRE_ETH_PRIVATE_KEY`** — The private key of the address you want to unlink
+ - Wallet must be funded with ETH on Ethereum Mainnet to pay gas fees
+
-Inspect the workflow registries available to your organization. A workflow registry is the system that tracks which workflows are registered to your organization and makes them available to the Chainlink DON for execution.
+**Usage:**
-- **`cre registry list`** — Display the registries configured for your organization, including type and on-chain address
+```bash
+cre account unlink-key [flags]
+```
-[View registry commands →](/cre/reference/cli/registry)
+**Flags:**
-***
+| Flag | Description |
+| ------------ | --------------------------------------------------------------- |
+| `--unsigned` | Return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
-### Template Sources
+**Interactive flow:**
-Manage the GitHub repositories that `cre init` uses to discover templates.
+When you run this command, the CLI will:
-- **`cre templates list`** — List templates (human output includes required networks; **`--json`** for scripts)
-- **`cre templates add`** — Add a custom or third-party template repository
-- **`cre templates remove`** — Remove a template repository source
+1. Extract your public address from the private key in your `.env` file (for EOA) or use your configuration (for multi-sig)
+2. **Display a destructive action warning** about deleting all workflows
+3. Ask for first confirmation to proceed with unlinking
+4. Display transaction details (chain, contract, estimated gas cost)
+5. Ask for second confirmation to execute the transaction
+6. Submit the transaction and provide a block explorer link
-[View template source commands →](/cre/reference/cli/templates)
+---
-***
+# Workflow Commands
+Source: https://docs.chain.link/cre/reference/cli/workflow
+Last Updated: 2026-05-08
-### Utilities
+The `cre workflow` commands manage workflows throughout their entire lifecycle, from local testing to deployment and ongoing management.
-Additional utility commands.
-- **`cre update`** — Update the CRE CLI to the latest version
-- **`cre version`** — Print the current version of the CRE CLI
+
+ All `cre` commands support [global flags](/cre/reference/cli#global-flags), including `--env`, `--public-env`, `--target`, `--project-root`, `--verbose`, and `--non-interactive`.
+
-[View utility commands →](/cre/reference/cli/utilities)
+## `cre workflow build`
-## Typical development workflow
+Compiles a workflow to a raw WASM binary and writes it to a file. Unlike `cre workflow deploy`, this command only compiles — it does not upload artifacts or register the workflow onchain. Use this command to produce and inspect a build artifact independently, for example in a CI/CD pipeline where you want to build once and promote the same binary across environments.
-The typical workflow development process uses these commands in sequence:
+**Usage:**
-1. **`cre init`** — Initialize your project
-2. **`cre generate-bindings`** — Generate contract bindings from ABIs (Go workflows only, if interacting with contracts)
-3. **`cre workflow simulate`** — Test your workflow locally
-4. **`cre workflow build`** — (Optional) Compile independently; useful in CI/CD pipelines
-5. **`cre workflow hash`** — (Optional) Inspect content hashes before deploying
-6. **`cre workflow deploy`** — Deploy your workflow to the registry
-7. **`cre workflow activate`** / **`cre workflow pause`** — Control workflow execution
-8. **`cre workflow list`** / **`cre workflow get`** — Inspect deployed workflow metadata
+```bash
+cre workflow build [flags]
+```
-## Learn more
+**Arguments:**
-- **[CLI Installation](/cre/getting-started/cli-installation)** — How to install and set up the CRE CLI
-- **[Getting Started](/cre/getting-started)** — Step-by-step tutorials using the CLI
-- **[Project Configuration](/cre/reference/project-configuration)** — Understanding project structure and configuration files
+- `` — (Required) Path to the workflow folder (e.g., `./my-workflow`)
----
+**Flags:**
-# Authentication Commands
-Source: https://docs.chain.link/cre/reference/cli/authentication
-Last Updated: 2026-05-08
+| Flag | Description |
+| -------------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| `-o, --output` | Output file path for the compiled WASM binary (default: `/binary.wasm`) |
+| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
-The CRE CLI supports two authentication methods:
+**Example:**
-- **Browser-based login** (`cre login`) — Interactive login for local development
-- **API key** (`CRE_API_KEY` environment variable) — Non-interactive authentication for CI/CD pipelines and headless environments
+```bash
+cre workflow build ./my-workflow
+```
-## Browser-based authentication
+**Example output:**
-### `cre login`
+```
+Compiling workflow...
+✓ Workflow compiled successfully
+ Binary hash: 0x3a7f...c21b
+✓ Build output written to ./my-workflow/binary.wasm
+```
-Starts the interactive authentication flow. This command opens your browser for user login, saves your credentials locally to `~/.cre/cre.yaml`, and **fetches your tenant context** from the CRE platform. That response is cached per CRE environment (for example `PRODUCTION`) in **`~/.cre/context.yaml`** — a registry manifest that includes items such as your vault gateway URL, workflow registries, and which secrets authentication flows each registry supports. See [Tenant context cache](#tenant-context-cache) below.
+The binary hash printed here matches the hash shown during `cre workflow deploy`. You can also compute it explicitly with [`cre workflow hash`](#cre-workflow-hash).
-`cre login` requires a browser and is not available in `--non-interactive` mode. For CI/CD pipelines and other headless environments, use `CRE_API_KEY` instead.
+For CI/CD usage, see [Deploying Workflows](/cre/guides/operations/deploying-workflows#cicd-pipeline-integration).
+
+***
+
+## `cre workflow simulate`
+
+
+ Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
+ logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
+ in with the CLI](/cre/account/cli-login) for further details.
+
+
+Compiles your workflow to WASM and executes it in a local simulation environment. This is the core command for testing and debugging your workflow.
**Usage:**
```bash
-cre login
+cre workflow simulate [flags]
```
-**Authentication steps:**
+**Arguments:**
-1. The CLI opens your default web browser to the login page
-2. Enter your account email address
-3. Enter your account password
-4. Enter your one-time password (OTP) from your authenticator app
-5. The CLI automatically captures and saves your credentials locally, then fetches and caches tenant context (you may see **“Fetching user context…”** in the terminal)
+- `` — (Required) Workflow folder name (e.g., `my-workflow`) or path (e.g., `./my-workflow`). When run from the project root, you can use just the folder name. The CLI looks for a `workflow.yaml` file in the workflow directory.
-For a detailed walkthrough with screenshots, see [Logging in with the CLI](/cre/account/cli-login).
+**Flags:**
-### `cre logout`
+| Flag | Description |
+| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--broadcast` | Broadcast onchain write transactions (default: `false`). Without this flag, a dry run is performed |
+| `-g, --engine-logs` | Enable non-fatal engine logging |
+| `--non-interactive` | Run without prompts; requires `--trigger-index` (see the line below) and inputs for the selected trigger type |
+| `--trigger-index ` | Selects which handler to run (0-based position). If your workflow has multiple handlers, `0` is the first, `1` is the second, etc. Required with `--non-interactive` |
+| `--http-payload ` | HTTP trigger payload as JSON string or path to a JSON file. File paths are resolved relative to the directory where you ran the command. For HTTP triggers only |
+| `--evm-tx-hash ` | Transaction hash (`0x...`) containing the event that triggered your workflow. For EVM log triggers only |
+| `--evm-event-index ` | Which log/event within the transaction to use (0-based position). If the transaction emitted multiple events, `0` is the first, `1` is the second, etc. For EVM log triggers only |
+| `--limits ` | Production limits to enforce during simulation: `default` (embedded prod limits), a path to a limits JSON file (e.g. from `cre workflow limits export`), or `none` to disable. See [Testing Production Limits](/cre/guides/operations/understanding-limits) (default: `default`) |
+| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
-Revokes authentication tokens and removes **local credentials** (`~/.cre/cre.yaml`) **and the cached tenant context file** (`~/.cre/context.yaml`). This invalidates the current session tokens and clears the CLI-side copy of your tenant registry manifest.
+**Examples:**
-**Usage:**
+- Basic simulation
-```bash
-cre logout
-```
+ ```bash
+ cre workflow simulate ./my-workflow --target local-simulation
+ ```
-### `cre whoami`
+- Broadcast real onchain transactions
-Shows your current account details. This command fetches and displays your account information, including your email and organization ID. This works with both browser-based login and API key authentication.
+ ```bash
+ cre workflow simulate ./my-workflow --broadcast --target local-simulation
+ ```
-**Usage:**
+- Non-interactive mode with HTTP trigger
-```bash
-cre whoami
-```
+ ```bash
+ # If your HTTP trigger handler is the first handler in your workflow, use --trigger-index 0
+ cre workflow simulate my-workflow --non-interactive --trigger-index 0 --http-payload '{"key":"value"}' --target staging-settings
+ ```
+- Non-interactive mode with EVM log trigger
-
- Use `cre whoami` to verify you're authenticated and check which account is currently active. This is useful before deploying workflows or performing other authenticated operations.
-
+ ```bash
+ # If your EVM log trigger handler is the second handler in your workflow, use --trigger-index 1
+ # --evm-event-index 0 means you want the first event from that transaction
+ cre workflow simulate my-workflow --non-interactive --trigger-index 1 --evm-tx-hash 0x420721d7d00130a03c5b525b2dbfd42550906ddb3075e8377f9bb5d1a5992f8e --evm-event-index 0 --target staging-settings
+ ```
-## API key authentication
+
+ By default, `cre workflow simulate` performs a **dry run** for onchain write operations. It simulates the transaction to confirm it would succeed, but does not broadcast it to the network. This results in a successful log with an empty transaction hash (`0x`). To send a real transaction, use the `--broadcast` flag.
+
-
- API key authentication requires your account to have Early Access approval for deployment. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+
+
+ Run [`cre workflow supported-chains`](/cre/reference/cli/workflow#cre-workflow-supported-chains) to print every **supported chain name** the CLI knows for simulation, then configure matching RPC URLs for your target.
-For CI/CD pipelines, automated scripts, or any environment where a browser is not available, you can authenticate using an API key. When the `CRE_API_KEY` environment variable is set, the CLI uses it automatically — no `cre login` required.
+## `cre workflow supported-chains`
-### Creating an API key
+Prints the supported chain names for EVM local simulation. Default output is a `Supported chain names:` heading followed by one indented name per line (for example `ethereum-testnet-sepolia`, `ethereum-mainnet-arbitrum-1`).
-1. Log in to the CRE platform
-2. Navigate to the **Organization** page
-3. Select the **APIs** tab
-4. Click **+ Organization API**
-5. Give your key a name and confirm
+Use `cre workflow supported-chains` to confirm a chain is supported before you wire RPC URLs and triggers in `project.yaml` / `workflow.yaml`. The command reads the embedded list only; it does not query your RPC endpoints.
+**Usage:**
-
- Treat your API key like a password. Do not commit it to version control or share it in plain text. Use your CI/CD platform's secret management to store it securely.
-
+```bash
+cre workflow supported-chains [flags]
+```
-### Using the API key
+**Flags:**
-Set the `CRE_API_KEY` environment variable before running CLI commands:
+| Flag | Description |
+| ------------------- | ----------------------------------------------------------------------------- |
+| `--output ` | Output format. Use `json` to print a JSON array to stdout for scripting cases |
+
+**Examples:**
```bash
-export CRE_API_KEY="your-api-key"
-cre whoami
+cre workflow supported-chains
+cre workflow supported-chains --output json
```
-When `CRE_API_KEY` is set, the CLI skips the browser-based login flow entirely. All commands that require authentication (deploying, managing workflows, etc.) will use the API key. The CLI still **ensures tenant context** is available (fetching or refreshing `~/.cre/context.yaml` as needed) so your session matches the platform configuration for that key.
+**Example (default, excerpt):**
-In a CI/CD pipeline, configure `CRE_API_KEY` as a secret environment variable in your platform and pass [`--non-interactive`](/cre/reference/cli#global-flags) to fail immediately if a command would otherwise prompt for input.
+```text
+Supported chain names:
+ ethereum-testnet-sepolia
+ ethereum-mainnet
+ polygon-mainnet
+```
-## Tenant context cache
+The full list is longer and can change between CLI releases; run the command locally for the complete set.
-After a successful browser login — and when using an API key for commands that load credentials — the CLI stores **tenant context** at **`~/.cre/context.yaml`**. This file comes from the platform’s **`getTenantConfig`** data: a **registry manifest** for your organization so the CLI knows your CRE environment layout (for example vault gateway URL, registries, and allowed secrets auth flows per registry). Values are grouped under your CRE environment name (such as `PRODUCTION`).
+## `cre workflow deploy`
-
- **`cre.yaml`** holds authentication tokens for your session. **`context.yaml`** holds **tenant configuration** returned by the platform, not secrets. **`cre logout`** removes both files from your machine.
+
+ Deploying workflows requires Early Access approval. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+
+ **While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-The following example is **illustrative** only; your registries, addresses, and flow lists depend on your organization and environment.
+
+ Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
+ logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
+ in with the CLI](/cre/account/cli-login) for further details.
+
-```yaml
-PRODUCTION:
- tenant_id: ""
- default_don_family: zone-a
- vault_gateway_url: https://01.gateway.zone-a.cre.chain.link
- registries:
- - id: onchain:ethereum-mainnet
- label: ethereum-mainnet (0x1234...abcd)
- type: on-chain
- chain_selector: ""
- address: "0x0000000000000000000000000000000000000000"
- secrets_auth_flows:
- - browser
- - owner-key-signing
- - id: private
- label: Private (Chainlink-hosted)
- type: off-chain
- secrets_auth_flows:
- - browser
+Deploys a workflow to the registry selected by `user-workflow.deployment-registry` in `workflow.yaml`. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with either the public onchain Workflow Registry or the Chainlink-hosted private registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registries your organization can use.
+
+**Usage:**
+
+```bash
+cre workflow deploy [flags]
```
-## Authentication methods summary
+**Arguments:**
-| Method | Best for | How it works |
-| ------------- | ------------------------------------- | ---------------------------------------------------- |
-| `cre login` | Local development | Opens a browser for interactive login with 2FA |
-| `CRE_API_KEY` | CI/CD, scripts, headless environments | Set the environment variable — no browser needed(\*) |
+- `` — (Required) Workflow folder name (e.g., `my-workflow`) or path (e.g., `./my-workflow`)
-(\*) API key authentication requires your account to have Early Access approval. See [Requesting Deploy Access](/cre/account/deploy-access).
+**Flags:**
-## Learn more
+| Flag | Description |
+| -------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
+| `-o, --output` | Output file for the compiled WASM binary encoded in base64 (default: `"./binary.wasm.br.b64"`) |
+| `--wasm` | Path to a pre-built WASM binary (skips compilation). Use with [`cre workflow build`](#cre-workflow-build) for CI/CD pipelines |
+| `--config` | Override the config file path from `workflow.yaml` |
+| `--no-config` | Deploy without a config file |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
-- [Logging in with the CLI](/cre/account/cli-login) — Step-by-step browser login guide with screenshots
-- [Managing Authentication](/cre/account/managing-auth) — Session management, expiration, and logout
-- [Account Management](/cre/reference/cli/account) — Link keys after authentication
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Requires authentication
+**Examples:**
----
+- Deploy workflow
-# Account Management
-Source: https://docs.chain.link/cre/reference/cli/account
-Last Updated: 2026-02-26
+ ```bash
+ cre workflow deploy my-workflow --target production-settings
+ ```
-The `cre account` commands manage linked public key addresses for public onchain registry workflows. Private registry workflows do not require linked keys; they use your CRE login session for workflow management.
+- Deploy and save the compiled binary to a custom location
+ ```bash
+ cre workflow deploy my-workflow --output ./dist/workflow.wasm.br.b64
+ ```
-
- All `cre` commands support [global flags](/cre/reference/cli#global-flags) like `--env`, `--target`, `--project-root`, and `--verbose`.
+- Deploy using a pre-built binary (skips compilation)
+
+ ```bash
+ # Build once
+ cre workflow build ./my-workflow
+
+ # Deploy with the pre-built binary
+ cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings
+ ```
+
+
+
+ If you deploy an update to a workflow that is currently paused, the CLI will complete the update and then print a warning: `Your workflow is paused and has been updated`. The workflow remains paused after the update — run `cre workflow activate` to resume it.
-## `cre account access`
+For more details, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
+
+## `cre workflow activate`
Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
@@ -9049,44 +8946,34 @@ The `cre account` commands manage linked public key addresses for public onchain
in with the CLI](/cre/account/cli-login) for further details.
-Checks your organization's deployment access status and lets you submit a request for Early Access directly from the CLI.
-
-For a full walkthrough including the interactive flow and web UI option, see [Requesting Deploy Access](/cre/account/deploy-access).
+Changes the workflow status to active in the registry selected by `deployment-registry`. Active workflows can respond to their configured triggers.
**Usage:**
```bash
-cre account access
+cre workflow activate [flags]
```
-**Interactive flow:**
-
-When you run this command, the CLI will:
-
-1. Check whether your organization has deployment access enabled
-2. If not, prompt you to submit a request
-3. Ask you to briefly describe your use case
-4. Confirm the request was submitted — the Chainlink team will follow up via email
-
-**Example output (access not yet enabled):**
+**Arguments:**
-```
-! Deployment access is not yet enabled for your organization.
+- `` — (Required) Workflow folder name (e.g., `my-workflow`) or path (e.g., `./my-workflow`)
- Request deployment access? Yes
+**Flags:**
- Briefly describe your use case
- What are you building with CRE?
- > I'm working on a prediction market and I need to deploy my workflow! (or whatever you're building)
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
-✓ Access request submitted successfully!
+**Example:**
-Our team will review your request and get back to you via email shortly.
+```bash
+cre workflow activate ./my-workflow --target production-settings
```
-***
+For more details, see [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows).
-## `cre account link-key`
+## `cre workflow pause`
Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
@@ -9094,70 +8981,39 @@ Our team will review your request and get back to you via email shortly.
in with the CLI](/cre/account/cli-login) for further details.
-Links a public key address to your account for public onchain registry workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
-
-For a complete step-by-step guide with examples, see [Linking Wallet Keys](/cre/organization/linking-keys).
-
-
-
- - **Must run from a project directory** with a `project.yaml` file
- - **`.env` must contain `CRE_ETH_PRIVATE_KEY`** — Your wallet's private key
- - **Wallet must be funded** with ETH on Ethereum Mainnet to pay gas fees
- - **RPC endpoint configured** — Add an `ethereum-mainnet` RPC URL in your `project.yaml` under the `rpcs` section for your target (e.g., `https://ethereum-rpc.publicnode.com` or your preferred provider)
- - **For multi-sig wallets**: Also specify `workflow-owner-address` in your `project.yaml` under the `account` section. See [Linking Wallet Keys](/cre/organization/linking-keys#using-multi-sig-wallets) for details.
-
-
-
-
- This command always submits a transaction to **Ethereum Mainnet**, regardless of your workflow deployment environment. Ensure your wallet has sufficient ETH for gas fees and your `project.yaml` includes an RPC configuration for `ethereum-mainnet`:
-
- ```yaml
- rpcs:
- - chain-name: ethereum-mainnet
- url: https://ethereum-rpc.publicnode.com # Or your preferred RPC provider
- ```
-
+Changes the workflow status to paused in the registry selected by `deployment-registry`. Paused workflows will not respond to triggers.
**Usage:**
```bash
-cre account link-key [flags]
+cre workflow pause [flags]
```
-**Flags:**
-
-| Flag | Description |
-| ------------------- | --------------------------------------------------------------- |
-| `-l, --owner-label` | Label for the workflow owner |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+**Arguments:**
-**Interactive flow:**
+- `` — (Required) Workflow folder name (e.g., `my-workflow`) or path (e.g., `./my-workflow`)
-When you run this command, the CLI will:
+**Flags:**
-1. Extract your public address from the private key in your `.env` file
-2. Prompt you to provide a label for this address (e.g., "Production Wallet")
-3. Check if the address is already linked
-4. Display transaction details (chain, contract, estimated gas cost)
-5. Ask for confirmation to execute the transaction
-6. Submit the transaction and provide a block explorer link
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
-**Examples:**
+**Example:**
-- Interactive mode (recommended)
+```bash
+cre workflow pause ./my-workflow --target production-settings
+```
- ```bash
- cre account link-key
- ```
-- Non-interactive mode with label
+
+ When you pause a workflow, it will no longer respond to any triggers. Ensure this is intentional before pausing production workflows.
+
- ```bash
- cre account link-key --owner-label "My Production Wallet" --yes
- ```
+For more details, see [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows).
-## `cre account list-key`
+## `cre workflow delete`
Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
@@ -9165,135 +9021,111 @@ When you run this command, the CLI will:
in with the CLI](/cre/account/cli-login) for further details.
-Lists all public key addresses linked to your organization. This shows the verification status, chain information, and contract addresses for each linked key.
-
-For a complete guide on linking and managing keys, see [Linking Wallet Keys](/cre/organization/linking-keys).
+Deletes a workflow from the registry selected by `deployment-registry`.
**Usage:**
```bash
-cre account list-key
+cre workflow delete [flags]
```
-**Example output:**
-
-```bash
-Workflow owners retrieved successfully:
-
-Linked Owners:
+**Arguments:**
- 1. my-production-wallet
- Owner Address:
- Status: VERIFICATION_STATUS_SUCCESSFULL
- Verified At:
- Chain Selector:
- Contract Address:
-```
+- `` — (Required) Workflow folder name (e.g., `my-workflow`) or path (e.g., `./my-workflow`)
-## `cre account unlink-key`
+**Flags:**
-
- Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
- logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
- in with the CLI](/cre/account/cli-login) for further details.
-
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
-Unlinks a previously linked public key address from your account. This is a destructive operation that removes the address from the Workflow Registry contract and deletes all workflows registered under that address.
+**Example:**
-For a complete guide on linking and unlinking keys, see [Linking Wallet Keys](/cre/organization/linking-keys).
+```bash
+cre workflow delete ./my-workflow --target production-settings
+```
- **Unlinking will delete all workflows registered under this address.** This action cannot be undone. Make sure you want to permanently remove all workflows associated with this address before proceeding.
+ This command **permanently deletes the workflow**. The `--yes` flag bypasses the confirmation prompt for this destructive operation. Use with caution.
+For more details, see [Deleting Workflows](/cre/guides/operations/deleting-workflows).
-
- - Must run from a project directory with a `project.yaml` file
- - **`.env` must contain `CRE_ETH_PRIVATE_KEY`** — The private key of the address you want to unlink
- - Wallet must be funded with ETH on Ethereum Mainnet to pay gas fees
+## `cre workflow list`
+
+
+ Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
+ logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
+ in with the CLI](/cre/account/cli-login) for further details.
+Lists workflows deployed for your organization across registries. Deleted workflows are hidden by default.
+
**Usage:**
```bash
-cre account unlink-key [flags]
+cre workflow list [flags]
```
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| --------------------- | --------------------------------------------------------------------------------- |
+| `--include-deleted` | Include workflows in `DELETED` status |
+| `--output ` | Output format. Use `json` to print a JSON array to stdout for scripting use cases |
+| `--registry ` | Filter results by a specific registry ID from your user context |
-**Interactive flow:**
+**Examples:**
-When you run this command, the CLI will:
+- List all workflows
-1. Extract your public address from the private key in your `.env` file (for EOA) or use your configuration (for multi-sig)
-2. **Display a destructive action warning** about deleting all workflows
-3. Ask for first confirmation to proceed with unlinking
-4. Display transaction details (chain, contract, estimated gas cost)
-5. Ask for second confirmation to execute the transaction
-6. Submit the transaction and provide a block explorer link
+ ```bash
+ cre workflow list
+ ```
----
-
-# Workflow Commands
-Source: https://docs.chain.link/cre/reference/cli/workflow
-Last Updated: 2026-05-08
-
-The `cre workflow` commands manage workflows throughout their entire lifecycle, from local testing to deployment and ongoing management.
-
-
-
- All `cre` commands support [global flags](/cre/reference/cli#global-flags), including `--env`, `--public-env`, `--target`, `--project-root`, `--verbose`, and `--non-interactive`.
-
-
-## `cre workflow build`
-
-Compiles a workflow to a raw WASM binary and writes it to a file. Unlike `cre workflow deploy`, this command only compiles — it does not upload artifacts or register the workflow onchain. Use this command to produce and inspect a build artifact independently, for example in a CI/CD pipeline where you want to build once and promote the same binary across environments.
-
-**Usage:**
-
-```bash
-cre workflow build [flags]
-```
-
-**Arguments:**
+- List all workflows including deleted ones
-- `` — (Required) Path to the workflow folder (e.g., `./my-workflow`)
+ ```bash
+ cre workflow list --include-deleted
+ ```
-**Flags:**
+- Export workflow list as JSON
-| Flag | Description |
-| -------------------- | --------------------------------------------------------------------------------------------------------------------------- |
-| `-o, --output` | Output file path for the compiled WASM binary (default: `/binary.wasm`) |
-| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
+ ```bash
+ cre workflow list --output json > workflows.json
+ ```
-**Example:**
+**JSON output fields:**
-```bash
-cre workflow build ./my-workflow
-```
+| Field | Description |
+| ----------------- | ---------------------------------------------------------------------------- |
+| `name` | Workflow name |
+| `workflowId` | Workflow ID |
+| `ownerAddress` | Workflow owner address |
+| `status` | Current workflow status |
+| `registry` | Registry ID, or the workflow source when no registry match is available |
+| `contractAddress` | Workflow registry contract address, when available for the resolved registry |
-**Example output:**
+**Example JSON output:**
+```json
+[
+ {
+ "name": "my-workflow",
+ "workflowId": "00ab...1234",
+ "ownerAddress": "0x1234...abcd",
+ "status": "ACTIVE",
+ "registry": "onchain:ethereum-mainnet",
+ "contractAddress": "0x5678...ef01"
+ }
+]
```
-Compiling workflow...
-✓ Workflow compiled successfully
- Binary hash: 0x3a7f...c21b
-✓ Build output written to ./my-workflow/binary.wasm
-```
-
-The binary hash printed here matches the hash shown during `cre workflow deploy`. You can also compute it explicitly with [`cre workflow hash`](#cre-workflow-hash).
-
-For CI/CD usage, see [Deploying Workflows](/cre/guides/operations/deploying-workflows#cicd-pipeline-integration).
***
-## `cre workflow simulate`
+## `cre workflow get`
Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
@@ -9301,1813 +9133,1679 @@ For CI/CD usage, see [Deploying Workflows](/cre/guides/operations/deploying-work
in with the CLI](/cre/account/cli-login) for further details.
-Compiles your workflow to WASM and executes it in a local simulation environment. This is the core command for testing and debugging your workflow.
+Shows metadata for the workflow configured in `workflow.yaml`. The command reads the workflow name for the selected `--target`, searches the CRE platform for matching workflow metadata, and filters results to the workflow's configured `deployment-registry` by default.
**Usage:**
```bash
-cre workflow simulate [flags]
+cre workflow get [flags]
```
**Arguments:**
-- `` — (Required) Workflow folder name (e.g., `my-workflow`) or path (e.g., `./my-workflow`). When run from the project root, you can use just the folder name. The CLI looks for a `workflow.yaml` file in the workflow directory.
+- `` — (Required) Path to the workflow folder (e.g., `./my-workflow`)
**Flags:**
-| Flag | Description |
-| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `--broadcast` | Broadcast onchain write transactions (default: `false`). Without this flag, a dry run is performed |
-| `-g, --engine-logs` | Enable non-fatal engine logging |
-| `--non-interactive` | Run without prompts; requires `--trigger-index` (see the line below) and inputs for the selected trigger type |
-| `--trigger-index ` | Selects which handler to run (0-based position). If your workflow has multiple handlers, `0` is the first, `1` is the second, etc. Required with `--non-interactive` |
-| `--http-payload ` | HTTP trigger payload as JSON string or path to a JSON file. File paths are resolved relative to the directory where you ran the command. For HTTP triggers only |
-| `--evm-tx-hash ` | Transaction hash (`0x...`) containing the event that triggered your workflow. For EVM log triggers only |
-| `--evm-event-index ` | Which log/event within the transaction to use (0-based position). If the transaction emitted multiple events, `0` is the first, `1` is the second, etc. For EVM log triggers only |
-| `--limits ` | Production limits to enforce during simulation: `default` (embedded prod limits), a path to a limits JSON file (e.g. from `cre workflow limits export`), or `none` to disable. See [Testing Production Limits](/cre/guides/operations/understanding-limits) (default: `default`) |
-| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
+| Flag | Description |
+| ------------------ | ------------------------------------------------------------------------ |
+| `--all-registries` | Do not filter results by the workflow's configured `deployment-registry` |
**Examples:**
-- Basic simulation
-
- ```bash
- cre workflow simulate ./my-workflow --target local-simulation
- ```
-
-- Broadcast real onchain transactions
+- Show metadata for the workflow configured for a target
```bash
- cre workflow simulate ./my-workflow --broadcast --target local-simulation
+ cre workflow get ./my-workflow --target staging-settings
```
-- Non-interactive mode with HTTP trigger
+- Search across all registries in your organization
```bash
- # If your HTTP trigger handler is the first handler in your workflow, use --trigger-index 0
- cre workflow simulate my-workflow --non-interactive --trigger-index 0 --http-payload '{"key":"value"}' --target staging-settings
+ cre workflow get ./my-workflow --target staging-settings --all-registries
```
-- Non-interactive mode with EVM log trigger
-
- ```bash
- # If your EVM log trigger handler is the second handler in your workflow, use --trigger-index 1
- # --evm-event-index 0 means you want the first event from that transaction
- cre workflow simulate my-workflow --non-interactive --trigger-index 1 --evm-tx-hash 0x420721d7d00130a03c5b525b2dbfd42550906ddb3075e8377f9bb5d1a5992f8e --evm-event-index 0 --target staging-settings
- ```
+The command prints the same human-readable workflow metadata fields as [`cre workflow list`](#cre-workflow-list): workflow name, workflow ID, owner address, status, registry, and registry address when available.
+***
-
- By default, `cre workflow simulate` performs a **dry run** for onchain write operations. It simulates the transaction to confirm it would succeed, but does not broadcast it to the network. This results in a successful log with an empty transaction hash (`0x`). To send a real transaction, use the `--broadcast` flag.
-
+## `cre workflow custom-build`
-
- Run [`cre workflow supported-chains`](/cre/reference/cli/workflow#cre-workflow-supported-chains) to print every **supported chain name** the CLI knows for simulation, then configure matching RPC URLs for your target.
+
+ This command permanently modifies your `workflow.yaml`, updating `workflow-path` to `./wasm/workflow.wasm` across all targets. It cannot be undone. After conversion, the CLI will no longer compile your source code automatically — your `Makefile` is responsible for producing the WASM binary.
-## `cre workflow supported-chains`
-
-Prints the supported chain names for EVM local simulation. Default output is a `Supported chain names:` heading followed by one indented name per line (for example `ethereum-testnet-sepolia`, `ethereum-mainnet-arbitrum-1`).
-
-Use `cre workflow supported-chains` to confirm a chain is supported before you wire RPC URLs and triggers in `project.yaml` / `workflow.yaml`. The command reads the embedded list only; it does not query your RPC endpoints.
+Converts a workflow to use a custom self-compiled WASM build. Instead of the CLI compiling your source automatically, a generated `Makefile` owns the build step. Use this when you need custom compiler flags, CI/CD artifact promotion, pre-build validation, or non-standard toolchains.
**Usage:**
```bash
-cre workflow supported-chains [flags]
+cre workflow custom-build [flags]
```
+**Arguments:**
+
+- `` — (Required) Path to the workflow folder (e.g., `./my-workflow`)
+
**Flags:**
-| Flag | Description |
-| ------------------- | ----------------------------------------------------------------------------- |
-| `--output ` | Output format. Use `json` to print a JSON array to stdout for scripting cases |
+| Flag | Description |
+| ------------- | ------------------------------------------------ |
+| `-f, --force` | Skip confirmation prompt and convert immediately |
-**Examples:**
+**Example:**
```bash
-cre workflow supported-chains
-cre workflow supported-chains --output json
+cre workflow custom-build ./my-workflow
```
-**Example (default, excerpt):**
+**Expected output:**
-```text
-Supported chain names:
- ethereum-testnet-sepolia
- ethereum-mainnet
- polygon-mainnet
+```bash
+✓ Workflow converted to custom build. workflow-path is now ./wasm/workflow.wasm
+ The Makefile is configured to output the WASM to this path. Run: make build
```
-The full list is longer and can change between CLI releases; run the command locally for the complete set.
-
-## `cre workflow deploy`
-
+For a full guide including Makefile examples and customization, see [Custom WASM Builds](/cre/guides/operations/custom-build).
-
- Deploying workflows requires Early Access approval. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+***
- **While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-
+## `cre workflow hash`
-
- Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
- logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
- in with the CLI](/cre/account/cli-login) for further details.
-
+Computes and displays content hashes for a workflow without deploying it. Reports the binary hash, config hash, and the workflow hash — the same value used as the onchain workflow ID. This is useful for verifying what will be deployed before submitting a transaction, or for confirming that a build artifact is identical to a previously deployed version.
-Deploys a workflow to the registry selected by `user-workflow.deployment-registry` in `workflow.yaml`. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with either the public onchain Workflow Registry or the Chainlink-hosted private registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registries your organization can use.
+Hashes are also displayed automatically during `cre workflow build` and `cre workflow deploy`.
**Usage:**
```bash
-cre workflow deploy [flags]
+cre workflow hash [flags]
```
**Arguments:**
-- `` — (Required) Workflow folder name (e.g., `my-workflow`) or path (e.g., `./my-workflow`)
+- `` — (Required) Path to the workflow folder (e.g., `./my-workflow`)
**Flags:**
-| Flag | Description |
-| -------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
-| `-o, --output` | Output file for the compiled WASM binary encoded in base64 (default: `"./binary.wasm.br.b64"`) |
-| `--wasm` | Path to a pre-built WASM binary (skips compilation). Use with [`cre workflow build`](#cre-workflow-build) for CI/CD pipelines |
-| `--config` | Override the config file path from `workflow.yaml` |
-| `--no-config` | Deploy without a config file |
-| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
-| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
+| Flag | Description |
+| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--public_key` | Owner address to use when computing the workflow hash. Required when `CRE_ETH_PRIVATE_KEY` is not set and no `workflow-owner-address` is configured in your settings |
+| `--wasm` | Path or URL to a pre-built WASM binary (skips compilation) |
+| `--config` | Override the config file path from `workflow.yaml` |
+| `--no-config` | Compute hash without a config file |
+| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
+
+
+
+ This command needs your owner address to compute the workflow hash, since the hash incorporates the owner. It derives this from `CRE_ETH_PRIVATE_KEY` by default. If you don't want to provide a private key, pass your address directly with `--public_key`.
+
**Examples:**
-- Deploy workflow
+- Compute hashes using settings from `workflow.yaml`
```bash
- cre workflow deploy my-workflow --target production-settings
+ cre workflow hash my-workflow --target staging-settings
```
-- Deploy and save the compiled binary to a custom location
+- Compute hashes without providing a private key
```bash
- cre workflow deploy my-workflow --output ./dist/workflow.wasm.br.b64
+ cre workflow hash my-workflow --public_key 0xYourOwnerAddress --target staging-settings
```
-- Deploy using a pre-built binary (skips compilation)
+- Compute hashes for a pre-built binary without recompiling
```bash
- # Build once
- cre workflow build ./my-workflow
-
- # Deploy with the pre-built binary
- cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings
+ cre workflow hash my-workflow --wasm ./my-workflow/binary.wasm --target staging-settings
```
+**Example output:**
-
- If you deploy an update to a workflow that is currently paused, the CLI will complete the update and then print a warning: `Your workflow is paused and has been updated`. The workflow remains paused after the update — run `cre workflow activate` to resume it.
+```
+✓ Workflow compiled
+ Binary hash: 0dcbb19de3c22edfe61605a970eb6d42199df91ac3e992cd3f2e33cb13efbb4c
+ Config hash: 3bdaebcc2f639d77cb248242c1d01c8651f540cdbf423d26fe3128516fd225b6
+ Workflow hash: 004fff5bb1ae05cc16e453f8ad564f5e8b0eae1945ec22f3d0adfc0339954d56
+```
+
+
+
+ The **workflow hash** is the same value that appears as the **Workflow ID** onchain. If your consumer contracts validate the workflow ID, use `cre workflow hash` to check the expected ID before and after updates. See [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) for details.
-For more details, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
+## `cre workflow limits`
-## `cre workflow activate`
+Manage simulation limits. Use this command to inspect the default production limits used during `cre workflow simulate`.
-
- Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
- logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
- in with the CLI](/cre/account/cli-login) for further details.
-
+### `cre workflow limits export`
-Changes the workflow status to active in the registry selected by `deployment-registry`. Active workflows can respond to their configured triggers.
+Prints the default production limits as JSON to stdout. Use this as a starting point for creating a custom limits file.
**Usage:**
```bash
-cre workflow activate [flags]
+cre workflow limits export
```
-**Arguments:**
+**Example:**
-- `` — (Required) Workflow folder name (e.g., `my-workflow`) or path (e.g., `./my-workflow`)
+```bash
+cre workflow limits export > my-limits.json
+```
-**Flags:**
-
-| Flag | Description |
-| ------------ | -------------------------------------------------------------------------------------- |
-| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
-
-**Example:**
+Redirect the output to a file, edit the values you want to adjust, then pass the file to `cre workflow simulate` with the `--limits` flag:
```bash
-cre workflow activate ./my-workflow --target production-settings
+cre workflow simulate ./my-workflow --limits ./my-limits.json --target staging-settings
```
-For more details, see [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows).
+See [Testing Production Limits](/cre/guides/operations/understanding-limits) for a full walkthrough.
-## `cre workflow pause`
+***
-
- Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
- logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
- in with the CLI](/cre/account/cli-login) for further details.
-
+## Workflow lifecycle
-Changes the workflow status to paused in the registry selected by `deployment-registry`. Paused workflows will not respond to triggers.
+The typical workflow lifecycle uses these commands in sequence:
-**Usage:**
+1. **Develop locally** — Write and iterate on your workflow code
+2. **`cre workflow limits export`** — (Optional) Inspect and customize production limits before simulating
+3. **`cre workflow simulate`** — Test your workflow in a local simulation environment
+4. **`cre workflow build`** — (Optional) Compile to WASM independently; useful in CI/CD pipelines
+5. **`cre workflow hash`** — (Optional) Inspect content hashes before deploying
+6. **`cre workflow deploy`** — Deploy your workflow to the registry
+7. **`cre workflow pause`** / **`cre workflow activate`** — Control workflow execution as needed
+8. **`cre workflow deploy`** (again) — Deploy updates (replaces the existing workflow)
+9. **`cre workflow list`** — (Optional) View all deployed workflows for your organization
+10. **`cre workflow get`** — (Optional) Inspect metadata for the workflow configured in `workflow.yaml`
+11. **`cre workflow delete`** — Remove the workflow when no longer needed
-```bash
-cre workflow pause [flags]
-```
+## Learn more
-**Arguments:**
+- [Testing Production Limits](/cre/guides/operations/understanding-limits) — Using the `--limits` flag and `cre workflow limits export`
+- [Simulating Workflows](/cre/guides/operations/simulating-workflows) — Detailed simulation guide
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Detailed deployment guide, including CI/CD pipeline integration
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Managing workflow state
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Version management
+- [Deleting Workflows](/cre/guides/operations/deleting-workflows) — Cleanup and removal
-- `` — (Required) Workflow folder name (e.g., `my-workflow`) or path (e.g., `./my-workflow`)
+---
-**Flags:**
+# Registry Commands
+Source: https://docs.chain.link/cre/reference/cli/registry
+Last Updated: 2026-05-08
-| Flag | Description |
-| ------------ | -------------------------------------------------------------------------------------- |
-| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+The `cre registry` commands let you view and inspect the workflow registries available to your organization.
-**Example:**
+## What is a workflow registry?
-```bash
-cre workflow pause ./my-workflow --target production-settings
-```
+A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. CRE supports a public onchain registry and a private Chainlink-hosted registry.
+- **Public/onchain registry**: A smart contract on Ethereum Mainnet. When you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs.
+- **Private registry**: A centralized, off-chain registry hosted by Chainlink. Workflow management is authorized by your CRE login session instead of a linked wallet key.
-
- When you pause a workflow, it will no longer respond to any triggers. Ensure this is intentional before pausing production workflows.
-
+Private registry management is a control-plane choice. It does not make workflow execution confidential, and confidential execution does not require the private registry.
-For more details, see [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows).
+When you log in with `cre login`, the CLI fetches your organization's registry configuration from the CRE platform and caches it locally in `~/.cre/context.yaml`. `cre registry list` reads from that cache and shows which registries your organization has access to.
+
+Each workflow can declare a **`deployment-registry`** in `workflow.yaml` (under the target you deploy with). Set it to one of the **ID** values printed by `cre registry list` (for example `onchain:ethereum-mainnet`). Commands such as [`cre workflow get`](/cre/reference/cli/workflow#cre-workflow-get) use that setting to decide which registry to query by default; use `--all-registries` when you need to search across every registry your org can access.
-## `cre workflow delete`
- Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
- logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
- in with the CLI](/cre/account/cli-login) for further details.
+ Running `cre registry` commands requires you to be logged in. Run `cre whoami` to verify your session, or `cre login` to authenticate. See [Logging in with the CLI](/cre/account/cli-login) for details.
-Deletes a workflow from the registry selected by `deployment-registry`.
+
+
+ All `cre` commands support [global flags](/cre/reference/cli#global-flags) like `--env`, `--target`, `--project-root`, and `--verbose`.
+
+
+## `cre registry list`
+
+Displays the workflow registries configured for your organization, including each registry's label, ID, type, and onchain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`. The CLI may also print a short reminder for setting **`deployment-registry`** in `workflow.yaml` (see example output below).
**Usage:**
```bash
-cre workflow delete [flags]
+cre registry list
```
-**Arguments:**
+**Example output:**
-- `` — (Required) Workflow folder name (e.g., `my-workflow`) or path (e.g., `./my-workflow`)
+```
+Registries available to your organization
-**Flags:**
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: on-chain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
-| Flag | Description |
-| ------------ | -------------------------------------------------------------------------------------- |
-| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
-**Example:**
+Targeting a registry
+ Set `deployment-registry` in your workflow.yaml to one of the IDs above:
-```bash
-cre workflow delete ./my-workflow --target production-settings
+ :
+ user-workflow:
+ deployment-registry: "onchain:ethereum-mainnet"
```
+Exact registries depend on your organization. Some environments list only on-chain registries; others also include off-chain (private) entries. If no registries are found, the command prints a warning and exits cleanly.
+
+## Learn more
-
- This command **permanently deletes the workflow**. The `--yes` flag bypasses the confirmation prompt for this destructive operation. Use with caution.
-
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — End-to-end deployment guide
+- [Authentication](/cre/reference/cli/authentication) — Managing your CLI login session and tenant context cache
-For more details, see [Deleting Workflows](/cre/guides/operations/deleting-workflows).
+---
-## `cre workflow list`
+# Secrets Management Commands
+Source: https://docs.chain.link/cre/reference/cli/secrets
+Last Updated: 2026-04-10
- Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
- logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
- in with the CLI](/cre/account/cli-login) for further details.
+ Running the commands on this page requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to
+ verify you're logged in, or run `cre login` to authenticate. See [Creating Your
+ Account](/cre/account/creating-account) and [Logging in with the CLI](/cre/account/cli-login) for further details.
-Lists workflows deployed for your organization across registries. Deleted workflows are hidden by default.
+The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized Oracle Network) for deployed workflows. These commands allow you to create, update, delete, and list secrets that your workflows can access at runtime.
-**Usage:**
+## Auth modes
-```bash
-cre workflow list [flags]
-```
+`cre secrets` supports two authorization modes, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-**Flags:**
+- **Web3-keyed.** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
-| Flag | Description |
-| --------------------- | --------------------------------------------------------------------------------- |
-| `--include-deleted` | Include workflows in `DELETED` status |
-| `--output ` | Output format. Use `json` to print a JSON array to stdout for scripting use cases |
-| `--registry ` | Filter results by a specific registry ID from your user context |
+Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
-**Examples:**
+## Authorization flow
-- List all workflows
+Secrets operations use your **workflow owner address** to authorize Vault DON access:
- ```bash
- cre workflow list
- ```
+1. The CLI verifies that your workflow owner address is linked to your account on-chain.
+2. The CLI submits an allowlist request transaction on the workflow registry chain (signed by your private key, or via multi-sig with `--unsigned`).
+3. Once the allowlist entry is confirmed, the CLI encrypts your secrets with the Vault master public key and submits them directly to the Vault DON gateway (CLI v1.8.2+).
-- List all workflows including deleted ones
+This requires a configured `workflow-owner-address` in your project and a linked workflow owner (see `cre account link-key`).
- ```bash
- cre workflow list --include-deleted
- ```
+## Org-owned secrets
-- Export workflow list as JSON
+Starting with CLI v1.10.0, secrets can optionally be owned by your **organization** instead of your individual workflow owner address. When the `CRE_CLI_SECRETS_ORG_OWNED` environment variable is set to `true` in your target configuration, all secrets operations use your org ID (from your authenticated session) as the owner identifier rather than your workflow owner address.
- ```bash
- cre workflow list --output json > workflows.json
- ```
+This is useful for teams that share secrets across multiple workflows within an organization, as it decouples secret ownership from individual wallet addresses.
-**JSON output fields:**
+**How it works:**
-| Field | Description |
-| ----------------- | ---------------------------------------------------------------------------- |
-| `name` | Workflow name |
-| `workflowId` | Workflow ID |
-| `ownerAddress` | Workflow owner address |
-| `status` | Current workflow status |
-| `registry` | Registry ID, or the workflow source when no registry match is available |
-| `contractAddress` | Workflow registry contract address, when available for the resolved registry |
+- When `CRE_CLI_SECRETS_ORG_OWNED=true`, the CLI uses your org ID as the TDH2 encryption label and vault secret owner
+- When `CRE_CLI_SECRETS_ORG_OWNED=false` (the default), behavior is unchanged — the workflow owner address is used
-**Example JSON output:**
+**Configuration:**
-```json
-[
- {
- "name": "my-workflow",
- "workflowId": "00ab...1234",
- "ownerAddress": "0x1234...abcd",
- "status": "ACTIVE",
- "registry": "onchain:ethereum-mainnet",
- "contractAddress": "0x5678...ef01"
- }
-]
+Add `CRE_CLI_SECRETS_ORG_OWNED: true` to your target environment in your `.env.public` or configuration YAML:
+
+```yaml
+CRE_CLI_SECRETS_ORG_OWNED: true
```
-***
+You must be authenticated with `cre login` and your session must include a valid org ID for this to work.
-## `cre workflow get`
+## Namespaces
-
- Running this command requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to verify you're
- logged in, or run `cre login` to authenticate. See [Creating Your Account](/cre/account/creating-account) and [Logging
- in with the CLI](/cre/account/cli-login) for further details.
-
+Secrets are organized into **namespaces**, which act as logical groupings (e.g., `"main"`, `"staging"`, `"production"`). All secrets are stored in the `"main"` namespace by default. Currently, `create`, `update`, and `delete` commands only support the default namespace. Custom namespace support may be added in future CLI versions.
-Shows metadata for the workflow configured in `workflow.yaml`. The command reads the workflow name for the selected `--target`, searches the CRE platform for matching workflow metadata, and filters results to the workflow's configured `deployment-registry` by default.
-**Usage:**
+
+ - You must be logged in with `cre login` (interactive login required; API keys are not supported for secrets operations)
+ - Your `workflow-owner-address` must be configured in your project for web3-keyed/onchain registry flows. It is not required for browser-auth private registry flows or when `CRE_CLI_SECRETS_ORG_OWNED=true`.
+ - If browser auth is not enabled for your CRE environment, use the web3-keyed flow with a linked workflow owner address. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed).
+ - For comprehensive guides on using secrets, see [Managing Secrets](/cre/guides/workflow/secrets)
+
-```bash
-cre workflow get [flags]
-```
-**Arguments:**
+
+ All `cre` commands support [global flags](/cre/reference/cli#global-flags) like `--env`, `--target`, `--project-root`, and `--verbose`.
+
-- `` — (Required) Path to the workflow folder (e.g., `./my-workflow`)
+## cre secrets create
-**Flags:**
+Creates new secrets in the Vault DON from a YAML file.
-| Flag | Description |
-| ------------------ | ------------------------------------------------------------------------ |
-| `--all-registries` | Do not filter results by the workflow's configured `deployment-registry` |
+### Usage
-**Examples:**
+```bash
+cre secrets create [SECRETS_FILE_PATH] [flags]
+```
-- Show metadata for the workflow configured for a target
+### Arguments
- ```bash
- cre workflow get ./my-workflow --target staging-settings
- ```
+- `SECRETS_FILE_PATH` — (Required) Path to a YAML file containing the secrets to create
-- Search across all registries in your organization
+### Flags
- ```bash
- cre workflow get ./my-workflow --target staging-settings --all-registries
- ```
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
-The command prints the same human-readable workflow metadata fields as [`cre workflow list`](#cre-workflow-list): workflow name, workflow ID, owner address, status, registry, and registry address when available.
+### Input file format
-***
+YAML file with `secretsNames` structure:
-## `cre workflow custom-build`
-
-
-
- This command permanently modifies your `workflow.yaml`, updating `workflow-path` to `./wasm/workflow.wasm` across all targets. It cannot be undone. After conversion, the CLI will no longer compile your source code automatically — your `Makefile` is responsible for producing the WASM binary.
-
-
-Converts a workflow to use a custom self-compiled WASM build. Instead of the CLI compiling your source automatically, a generated `Makefile` owns the build step. Use this when you need custom compiler flags, CI/CD artifact promotion, pre-build validation, or non-standard toolchains.
-
-**Usage:**
+```yaml
+secretsNames:
+ API_KEY:
+ - API_KEY_VALUE
-```bash
-cre workflow custom-build [flags]
+ DATABASE_URL:
+ - DATABASE_URL_VALUE
```
-**Arguments:**
-
-- `` — (Required) Path to the workflow folder (e.g., `./my-workflow`)
+- `secretsNames` — Top-level key containing all secrets
+- Each secret key (e.g., `API_KEY`) maps to an array containing an environment variable name
+- Secret values are read from environment variables or `.env` file
-**Flags:**
-| Flag | Description |
-| ------------- | ------------------------------------------------ |
-| `-f, --force` | Skip confirmation prompt and convert immediately |
+
+ Secrets are stored in the `"main"` namespace automatically. Custom namespace support may be added in future CLI versions.
+
-**Example:**
+### Examples
-```bash
-cre workflow custom-build ./my-workflow
-```
+- Create secrets from YAML file
-**Expected output:**
+ ```bash
+ cre secrets create my-secrets.yaml --target production-settings
+ ```
-```bash
-✓ Workflow converted to custom build. workflow-path is now ./wasm/workflow.wasm
- The Makefile is configured to output the WASM to this path. Run: make build
-```
+- Create secrets with custom timeout
-For a full guide including Makefile examples and customization, see [Custom WASM Builds](/cre/guides/operations/custom-build).
+ ```bash
+ cre secrets create my-secrets.yaml --timeout 1h
+ ```
-***
+- Create secrets for multi-sig wallets
-## `cre workflow hash`
+ ```bash
+ cre secrets create my-secrets.yaml --unsigned
+ ```
-Computes and displays content hashes for a workflow without deploying it. Reports the binary hash, config hash, and the workflow hash — the same value used as the onchain workflow ID. This is useful for verifying what will be deployed before submitting a transaction, or for confirming that a build artifact is identical to a previously deployed version.
+## cre secrets update
-Hashes are also displayed automatically during `cre workflow build` and `cre workflow deploy`.
+Updates existing secrets in the Vault DON from a YAML file.
-**Usage:**
+### Usage
```bash
-cre workflow hash [flags]
+cre secrets update [SECRETS_FILE_PATH] [flags]
```
-**Arguments:**
+### Arguments
-- `` — (Required) Path to the workflow folder (e.g., `./my-workflow`)
+- `SECRETS_FILE_PATH` — (Required) Path to a YAML file containing the secrets to update
-**Flags:**
+### Flags
-| Flag | Description |
-| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `--public_key` | Owner address to use when computing the workflow hash. Required when `CRE_ETH_PRIVATE_KEY` is not set and no `workflow-owner-address` is configured in your settings |
-| `--wasm` | Path or URL to a pre-built WASM binary (skips compilation) |
-| `--config` | Override the config file path from `workflow.yaml` |
-| `--no-config` | Compute hash without a config file |
-| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
+### Input file format
-
- This command needs your owner address to compute the workflow hash, since the hash incorporates the owner. It derives this from `CRE_ETH_PRIVATE_KEY` by default. If you don't want to provide a private key, pass your address directly with `--public_key`.
-
+Same YAML format as `create`.
-**Examples:**
+### Examples
-- Compute hashes using settings from `workflow.yaml`
+- Update secrets
```bash
- cre workflow hash my-workflow --target staging-settings
+ cre secrets update my-secrets.yaml --target production-settings
```
-- Compute hashes without providing a private key
+- Update secrets with custom timeout
```bash
- cre workflow hash my-workflow --public_key 0xYourOwnerAddress --target staging-settings
+ cre secrets update my-secrets.yaml --timeout 6h
```
-- Compute hashes for a pre-built binary without recompiling
- ```bash
- cre workflow hash my-workflow --wasm ./my-workflow/binary.wasm --target staging-settings
- ```
+
+ Only modifies secrets that already exist. To create new secrets, use `cre secrets create`.
+
-**Example output:**
+## cre secrets delete
-```
-✓ Workflow compiled
- Binary hash: 0dcbb19de3c22edfe61605a970eb6d42199df91ac3e992cd3f2e33cb13efbb4c
- Config hash: 3bdaebcc2f639d77cb248242c1d01c8651f540cdbf423d26fe3128516fd225b6
- Workflow hash: 004fff5bb1ae05cc16e453f8ad564f5e8b0eae1945ec22f3d0adfc0339954d56
-```
+Deletes secrets from the Vault DON based on a YAML file.
+### Usage
-
- The **workflow hash** is the same value that appears as the **Workflow ID** onchain. If your consumer contracts validate the workflow ID, use `cre workflow hash` to check the expected ID before and after updates. See [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) for details.
-
+```bash
+cre secrets delete [SECRETS_FILE_PATH] [flags]
+```
-## `cre workflow limits`
+### Arguments
-Manage simulation limits. Use this command to inspect the default production limits used during `cre workflow simulate`.
+- `SECRETS_FILE_PATH` — (Required) Path to a YAML file containing the secrets to delete
-### `cre workflow limits export`
+### Flags
-Prints the default production limits as JSON to stdout. Use this as a starting point for creating a custom limits file.
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
-**Usage:**
+### Input file format
-```bash
-cre workflow limits export
+YAML file with a simple list of secret identifiers to delete:
+
+```yaml
+secretsNames:
+ - API_KEY
+ - OLD_SECRET
```
-**Example:**
-```bash
-cre workflow limits export > my-limits.json
-```
+
+ The `delete` command uses a simpler format than `create`/`update`: just a list of secret IDs. All secrets are deleted from the `"main"` namespace.
+
-Redirect the output to a file, edit the values you want to adjust, then pass the file to `cre workflow simulate` with the `--limits` flag:
+### Example
```bash
-cre workflow simulate ./my-workflow --limits ./my-limits.json --target staging-settings
+cre secrets delete secrets-to-delete.yaml --target production-settings
```
-See [Testing Production Limits](/cre/guides/operations/understanding-limits) for a full walkthrough.
-
-***
-
-## Workflow lifecycle
-The typical workflow lifecycle uses these commands in sequence:
+
+ Deleting secrets is permanent and cannot be undone.
+
-1. **Develop locally** — Write and iterate on your workflow code
-2. **`cre workflow limits export`** — (Optional) Inspect and customize production limits before simulating
-3. **`cre workflow simulate`** — Test your workflow in a local simulation environment
-4. **`cre workflow build`** — (Optional) Compile to WASM independently; useful in CI/CD pipelines
-5. **`cre workflow hash`** — (Optional) Inspect content hashes before deploying
-6. **`cre workflow deploy`** — Deploy your workflow to the registry
-7. **`cre workflow pause`** / **`cre workflow activate`** — Control workflow execution as needed
-8. **`cre workflow deploy`** (again) — Deploy updates (replaces the existing workflow)
-9. **`cre workflow list`** — (Optional) View all deployed workflows for your organization
-10. **`cre workflow get`** — (Optional) Inspect metadata for the workflow configured in `workflow.yaml`
-11. **`cre workflow delete`** — Remove the workflow when no longer needed
+## cre secrets list
-## Learn more
+Lists all secret identifiers for your owner address (or org ID, when `CRE_CLI_SECRETS_ORG_OWNED=true`) in a specific namespace.
-- [Testing Production Limits](/cre/guides/operations/understanding-limits) — Using the `--limits` flag and `cre workflow limits export`
-- [Simulating Workflows](/cre/guides/operations/simulating-workflows) — Detailed simulation guide
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Detailed deployment guide, including CI/CD pipeline integration
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Managing workflow state
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Version management
-- [Deleting Workflows](/cre/guides/operations/deleting-workflows) — Cleanup and removal
+### Usage
----
+```bash
+cre secrets list [flags]
+```
-# Registry Commands
-Source: https://docs.chain.link/cre/reference/cli/registry
-Last Updated: 2026-05-08
+### Flags
-The `cre registry` commands let you view and inspect the workflow registries available to your organization.
+| Flag | Type | Default | Description |
+| ---------------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--namespace` | string | `"main"` | Namespace to list secrets from |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
-## What is a workflow registry?
+### Example
-A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. CRE supports a public onchain registry and a private Chainlink-hosted registry.
+- List secrets in default namespace
-- **Public/onchain registry**: A smart contract on Ethereum Mainnet. When you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs.
-- **Private registry**: A centralized, off-chain registry hosted by Chainlink. Workflow management is authorized by your CRE login session instead of a linked wallet key.
+ ```bash
+ cre secrets list --target production-settings
+ ```
-Private registry management is a control-plane choice. It does not make workflow execution confidential, and confidential execution does not require the private registry.
+- List secrets in specific namespace
-When you log in with `cre login`, the CLI fetches your organization's registry configuration from the CRE platform and caches it locally in `~/.cre/context.yaml`. `cre registry list` reads from that cache and shows which registries your organization has access to.
+ ```bash
+ cre secrets list --namespace production
+ ```
-Each workflow can declare a **`deployment-registry`** in `workflow.yaml` (under the target you deploy with). Set it to one of the **ID** values printed by `cre registry list` (for example `onchain:ethereum-mainnet`). Commands such as [`cre workflow get`](/cre/reference/cli/workflow#cre-workflow-get) use that setting to decide which registry to query by default; use `--all-registries` when you need to search across every registry your org can access.
+### Output
+Returns secret identifiers (not values) for the specified namespace:
-
- Running `cre registry` commands requires you to be logged in. Run `cre whoami` to verify your session, or `cre login` to authenticate. See [Logging in with the CLI](/cre/account/cli-login) for details.
-
+```
+Secret identifiers in namespace 'main':
+ - API_KEY
+ - DATABASE_URL
+ - WEBHOOK_SECRET
+```
-
- All `cre` commands support [global flags](/cre/reference/cli#global-flags) like `--env`, `--target`, `--project-root`, and `--verbose`.
+
+ Only returns secret identifiers, never the actual values. Secret values are only accessible to workflows at runtime.
-## `cre registry list`
-
-Displays the workflow registries configured for your organization, including each registry's label, ID, type, and onchain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`. The CLI may also print a short reminder for setting **`deployment-registry`** in `workflow.yaml` (see example output below).
+## Using with multi-sig wallets
-**Usage:**
+All commands support the `--unsigned` flag for multi-sig operations:
```bash
-cre registry list
+cre secrets create my-secrets.yaml --unsigned
```
-**Example output:**
-
-```
-Registries available to your organization
+When `--unsigned` is used:
-ethereum-mainnet (0x4Ac5...E7e5)
- ID: on-chain:ethereum-mainnet
- Type: on-chain
- Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+1. CLI generates raw transaction data instead of broadcasting
+2. Transaction payload is returned for submission through your multi-sig interface
+3. After multi-sig confirmation, the secrets operation proceeds
-Private (Chainlink-hosted)
- ID: private
- Type: off-chain
+For details, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-Targeting a registry
- Set `deployment-registry` in your workflow.yaml to one of the IDs above:
+## Learn more
- :
- user-workflow:
- deployment-registry: "onchain:ethereum-mainnet"
-```
+- [Managing Secrets](/cre/guides/workflow/secrets) — Overview and decision tree for secrets management
+- [Using Secrets in Simulation](/cre/guides/workflow/secrets/using-secrets-simulation) — For local development
+- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Complete guide with examples
+- [Managing Secrets with 1Password](/cre/guides/workflow/secrets/managing-secrets-1password) — Best practice for secure management
+- [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets) — Multi-sig configuration
-Exact registries depend on your organization. Some environments list only on-chain registries; others also include off-chain (private) entries. If no registries are found, the command prints a warning and exits cleanly.
+---
-## Learn more
+# Template Sources
+Source: https://docs.chain.link/cre/reference/cli/templates
+Last Updated: 2026-03-26
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — End-to-end deployment guide
-- [Authentication](/cre/reference/cli/authentication) — Managing your CLI login session and tenant context cache
+The `cre templates` commands manage the GitHub repository sources that `cre init` uses to discover workflow templates.
----
+The CLI always includes two built-in **Hello World** templates (`hello-world-go`, `hello-world-ts`) that are embedded in the binary and available without an internet connection. All other templates are fetched dynamically from GitHub. The Chainlink official template repository (`smartcontractkit/cre-templates`) is configured as the default source — you only need these commands if you want to add custom or third-party template sources.
-# Secrets Management Commands
-Source: https://docs.chain.link/cre/reference/cli/secrets
-Last Updated: 2026-04-10
-
- Running the commands on this page requires you to be logged in with the CRE CLI. Run `cre whoami` in your terminal to
- verify you're logged in, or run `cre login` to authenticate. See [Creating Your
- Account](/cre/account/creating-account) and [Logging in with the CLI](/cre/account/cli-login) for further details.
+
+ All `cre` commands support [global flags](/cre/reference/cli#global-flags) like `--env`, `--target`, `--project-root`, and `--verbose`.
-The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized Oracle Network) for deployed workflows. These commands allow you to create, update, delete, and list secrets that your workflows can access at runtime.
+## `cre templates list`
-## Auth modes
+Fetches and displays all templates available from your configured repository sources. Results are cached locally; use `--refresh` to fetch the latest data from GitHub.
-`cre secrets` supports two authorization modes, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
+**Usage:**
-- **Web3-keyed.** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
-- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
+```bash
+cre templates list [flags]
+```
-Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
+**Flags:**
-## Authorization flow
+| Flag | Description |
+| ----------- | --------------------------------------------------------- |
+| `--json` | Print the template list as **JSON** (for scripts and CI). |
+| `--refresh` | Bypass the local cache and fetch fresh data from GitHub |
-Secrets operations use your **workflow owner address** to authorize Vault DON access:
+Each entry shows the template title, ID, language, a short description, and **required networks** (chains you must supply RPCs for when using `cre init`, especially with **`--non-interactive`**). Use the template name with **`cre init --template=`** to scaffold a project.
-1. The CLI verifies that your workflow owner address is linked to your account on-chain.
-2. The CLI submits an allowlist request transaction on the workflow registry chain (signed by your private key, or via multi-sig with `--unsigned`).
-3. Once the allowlist entry is confirmed, the CLI encrypts your secrets with the Vault master public key and submits them directly to the Vault DON gateway (CLI v1.8.2+).
+For the current list of available templates, run `cre templates list` or visit [docs.chain.link/cre-templates](https://docs.chain.link/cre-templates).
-This requires a configured `workflow-owner-address` in your project and a linked workflow owner (see `cre account link-key`).
+***
-## Org-owned secrets
+## `cre templates add`
-Starting with CLI v1.10.0, secrets can optionally be owned by your **organization** instead of your individual workflow owner address. When the `CRE_CLI_SECRETS_ORG_OWNED` environment variable is set to `true` in your target configuration, all secrets operations use your org ID (from your authenticated session) as the owner identifier rather than your workflow owner address.
+Adds one or more GitHub repositories as template sources. Sources are saved to `~/.cre/template.yaml` and made available in `cre init`.
-This is useful for teams that share secrets across multiple workflows within an organization, as it decouples secret ownership from individual wallet addresses.
+**Usage:**
-**How it works:**
+```bash
+cre templates add ... [flags]
+```
-- When `CRE_CLI_SECRETS_ORG_OWNED=true`, the CLI uses your org ID as the TDH2 encryption label and vault secret owner
-- When `CRE_CLI_SECRETS_ORG_OWNED=false` (the default), behavior is unchanged — the workflow owner address is used
+The `@ref` portion is optional and specifies a branch, tag, or commit. If omitted, the repository's default branch is used.
-**Configuration:**
+**Examples:**
-Add `CRE_CLI_SECRETS_ORG_OWNED: true` to your target environment in your `.env.public` or configuration YAML:
+```bash
+# Add a single repository (uses default branch)
+cre templates add myorg/my-templates
-```yaml
-CRE_CLI_SECRETS_ORG_OWNED: true
+# Add at a specific branch
+cre templates add myorg/my-templates@main
+
+# Add multiple repositories at once
+cre templates add myorg/my-templates anotherorg/more-templates
```
-You must be authenticated with `cre login` and your session must include a valid org ID for this to work.
+**Example output:**
-## Namespaces
+```
+✓ Added myorg/my-templates@main
-Secrets are organized into **namespaces**, which act as logical groupings (e.g., `"main"`, `"staging"`, `"production"`). All secrets are stored in the `"main"` namespace by default. Currently, `create`, `update`, and `delete` commands only support the default namespace. Custom namespace support may be added in future CLI versions.
+Configured repositories:
+ - smartcontractkit/cre-templates@main
+ - myorg/my-templates@main
+```
-
- - You must be logged in with `cre login` (interactive login required; API keys are not supported for secrets operations)
- - Your `workflow-owner-address` must be configured in your project for web3-keyed/onchain registry flows. It is not required for browser-auth private registry flows or when `CRE_CLI_SECRETS_ORG_OWNED=true`.
- - If browser auth is not enabled for your CRE environment, use the web3-keyed flow with a linked workflow owner address. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed).
- - For comprehensive guides on using secrets, see [Managing Secrets](/cre/guides/workflow/secrets)
+