The permissions and membership define what developers can access on nx.app, but they don't affect what happens when you run Nx commands in CI. To manage that, you need to provision CI access tokens in your workspace settings, under the Access Control tab. Learn more about cache security best practices.

Access Types
Section titled “Access Types”There are currently two (2) types of CI Access Token for Nx Cloud's runner that you can use with your workspace. Both support distributed task execution and allow Nx Cloud to store metadata about runs.
- read-only
- read-write
Read Only Access
Section titled “Read Only Access”The read-only access tokens can only read from the global remote cache. Task results produced with this type of access token will be stored in an isolated remote cache accessible only by that specific branch in a CI context, and cannot influence the global shared cache.
The isolated remote cache produced with a read-only token is accessible to all machines or agents in the same CI execution, enabling cache sharing during distributed task execution.
Read & Write Access
Section titled “Read & Write Access”The read-write access tokens allow task results to be stored in the remote cache for other machines or CI pipelines to download and replay. This access level should only be used for trusted environments such as protected branches within your CI Pipeline.
Setting CI Access Tokens
Section titled “Setting CI Access Tokens”You can configure an access token in CI by setting the NX_CLOUD_ACCESS_TOKEN environment variable.
The NX_CLOUD_ACCESS_TOKEN takes precedence over any authentication method in your nx.json.
We recommend setting up a read-write token for you protected branches in CI and a read-only token for unprotected branches. You can leverage your CI provider's environment variables management to accomplish this.
Azure DevOps
Section titled “Azure DevOps”Azure DevOps provides various mechanisms to limit access to secrets. We'll be using Variable groups in this process, but you can achieve the same result leveraging Azure Key Vault.
- In your project, navigate to Pipelines > Library.  
- Create a new Variable group called protected.- If you already have a variable group for protected environments, we recommend reusing that variable group.
 
- Add the NX_CLOUD_ACCESS_TOKENenvironment variable with theread-writetoken from Nx Cloud. 
- In Pipeline permissions, add your current pipeline configuration.  
- In Approvals and checks, add a new Branch control check.  
- Create the Branch control check with only allowing your protected branches and checking Verify branch protection option.  
- Create another variable group called unprotected.
- Add the NX_CLOUD_ACCESS_TOKENenvironment variable with theread-onlytoken from Nx Cloud.
- In Pipeline permissions, add your current pipeline configuration.
- In Approvals and checks, add a new Branch control check with the *wildcard for branches and leaving Verify branch protection unchecked. 
- Now you should see 2 Variable groups for protected and unprotected usage.  
- Update your pipeline to include the 2 variable groups, with conditional access for the protected variable group.
Example usage:
variables:  - group: unprotected  - ${{ if eq(variables['Build.SourceBranchName'], 'main') }}:      - group: protectedBitBucket Cloud
Section titled “BitBucket Cloud”BitBucket Cloud supports setting environment variables per environment called Deployment variables. You can read the official BitBucket Pipelines documentation for more details.
- In your repository, navigate to the Repository settings > Deployment.
- Select an environment you have configured for protected branches, or create a new one and protect your primary branches.- Note: selecting branch protection rules is a premium feature of BitBucket Cloud.  
 
- Note: selecting branch protection rules is a premium feature of BitBucket Cloud. 
- Set the environment variable NX_CLOUD_ACCESS_TOKENwith theread-writetoken from Nx Cloud.
- Navigate to the Repository settings > Repository variables tab and set the variable NX_CLOUD_ACCESS_TOKENwith theread-onlytoken from Nx Cloud. 
- Update the bitbucket-pipelines.ymlfile to include the deployment name mentioned in step 2.
Example usage:
pipelines:  branches:    main:      - step:          name: 'main checks'          deployment: Production          ...CircleCI
Section titled “CircleCI”Circle CI allows creating contexts and restricting those based on various rules. You can read the official CircleCI documentation for more details.
- In your organization, navigate to Organization settings > Contexts and create a new context.- If you already have a context for protected environments, we recommend reusing that context.  
 
- If you already have a context for protected environments, we recommend reusing that context. 
- Click on Add Expression Restriction that restricts the context to protected branches only such as only the mainbranch, e.g.,pipeline.git.branch == "main". 
- Click on Add Environment Variable and add the NX_CLOUD_ACCESS_TOKENenvironment variable with theread-writetoken from Nx Cloud.
- Back on the organization home page, navigate to your projects, then view the pipeline settings.
- Navigate to Environment Variables and click Add Environment Variable and add the NX_CLOUD_ACCESS_TOKENenvironment variable with theread-onlytoken from Nx Cloud. 
- Update your pipeline to include steps where you want to write to the nx cache with the correct contexts.
Example usage:
jobs:  run-tests-protected:    - ...  run-tests-prs:    - ...
workflows:  my-workflow:    jobs:      - run-tests-protected:          context:            - protected-branches          filters:            branches:              only: main      - run-tests-prs:          filters:            branches:              ignore: mainGitHub Actions
Section titled “GitHub Actions”GitHub allows specifying different secrets for each environment, where an environment can be on a specific branch. You can read the official GitHub Actions documentation for more details.
- In your repository, navigate to Settings tab.
- Click on "Environments" and create an environment for your protected branches.- Typically, organizations already have some kind of 'release' or 'protected' environments that can be leveraged.
- If you do not have any protected branches, it's recommended to make at least your default branch a protected branch i.e., main/master.
 
- Add a restriction for how the environment will be applied, and apply to all protected branches.  
- Add the read-writeaccess token with the nameNX_CLOUD_ACCESS_TOKENto your environment.
- Click the Secrets and variables > Actions tab in the sidebar.
- Add the read-onlyaccess token with the nameNX_CLOUD_ACCESS_TOKENto the repository secrets.
- Now you should see 2 secrets where 1 is a part of the protected environment and the other is the default repository secrets.  
Example usage:
name: CI
env:  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
jobs:  main:    runs-on: ubuntu-latest    steps: ...GitLab
Section titled “GitLab”GitLab allows creating variables scoped to specific environments. You can read the Official GitLab documentation for more details.
- In your project, navigate to Operate > Environments and create a new environment. You do not need to fill out the External Url or GitLab agent.- Most projects already have a production/protected environments, so we recommend using this one if it's already defined.  
 
- Most projects already have a production/protected environments, so we recommend using this one if it's already defined. 
- In your project, navigate to Settings > CI/CD tab and expand the Variables section.
- Click on Add variable and fill in the following information:- Type: Variable
- Environments: All
- Visibility: Masked and hidden
- Flags: uncheck Protected variable
- Description: "read-only token for nx-cloud"
- Key: NX_CLOUD_ACCESS_TOKEN
- Value: Your read-onlytoken from Nx Cloud
 
- Click Add variable.  
- Click on Add variable again and fill in the following information:- Type: Variable
- Environments: Your protected environment created in step 1
- Visibility: Masked and hidden
- Flags: check Protected variable
- Description: "read-write token for nx-cloud"
- Key: NX_CLOUD_ACCESS_TOKEN
- Value: Your read-writetoken from Nx Cloud
 
- Click Add variable.  
- Now you should see 2 secrets where 1 is a part of the protected & tagged to the environment and the other is not.  
- Update your pipeline to include steps where you want to write to the nx cache with the correct contexts.
Example usage:
<job-name>:  environment:    name: <environment-name>Jenkins
Section titled “Jenkins”Jenkins configuration can be quite extensive making each Jenkins instance unique. Because of this we can only provide a minimal viable approach, but there can be multiple ways to provide scoped access tokens to your pipelines. The goal is to create two areas within Jenkins, where one is the protected and the other is the unprotected. These specifically map to how you deem your branches should have read/write vs read permissions. We recommend making branches that developers cannot directly push to and require a code review to merge to, as the protected branches, and the rest being unprotected.
- Minimally, this can be achieved via the following Jenkins plugins:
- Create a folder for the unprotected and protected pipelines.- The names can be anything that makes sense for your organization, such as releases or PRs etc.
 
- Go into the unprotected folder and create a credential for NX_CLOUD_ACCESS_TOKENwith theread-onlytoken from Nx Cloud.
- Go into the protected folder and create a credential for NX_CLOUD_ACCESS_TOKENwith theread-writetoken from Nx Cloud.
- Use the credential inside your pipeline Jenkinsfilewith the Credential Binding plugin.
Example usage:
// Jenkinsfilepipeline {  agent any  stages {    stage('Build') {      steps {        withCredentials([string(credentialsId: 'NX_CLOUD_ACCESS_TOKEN', variable: 'NX_CLOUD_ACCESS_TOKEN')]) {          sh 'echo "nx cloud access token is now set in this context"'        }      }    }  }}Legacy methods of setting CI Access Tokens
Section titled “Legacy methods of setting CI Access Tokens”Using CI Access Tokens in nx.json
Section titled “Using CI Access Tokens in nx.json”We do not recommend that you commit an access token to your repository but older versions of Nx do support this and if you open your nx.json, you may see something like this:
{  "nxCloudAccessToken": "SOMETOKEN"}{  "tasksRunnerOptions": {    "default": {      "runner": "nx-cloud",      "options": {        "accessToken": "SOMETOKEN"      }    }  }}Using nx-cloud.env
Section titled “Using nx-cloud.env”You can set an environment variable locally via the nx-cloud.env file. Nx Cloud CLI will look in this file to load custom configuration like NX_CLOUD_ACCESS_TOKEN. These environment variables will take precedence over the configuration in nx.json.