Currently, we use cursor CLI enterprise to review our PRs. But recently, we got “Please check you have the right key, create a new one, or authenticate without it.”. I tried regenerate new API, but still got it. Beside that i tried authen this key by cursor-agent on my local machine, it still be a valid key. Note that we don’t have any changes in recently workflow github
Steps to Reproduce
cursor-agent --api-key "$CURSOR_API_KEY" --force --model "$MODEL" --output-format=text --print "You are operating in a GitHub Actions runner performing automated code review. The gh CLI is available and authenticated via GH_TOKEN. You may comment on pull requests.
There’s a known issue with CLI authentication in CI environments, especially related to TLS or connectivity between GitHub runners and our API.
Can you share a bit more info to help us debug?
The full error text from your GitHub Actions logs
How are you passing the API key, via the CURSOR_API_KEY environment variable or the --api-key flag?
The relevant part of your workflow YAML (feel free to redact the key)
Also, a quick test: can you try running cursor-agent status in the workflow before the main command? This will confirm whether it’s failing at authentication, or if the issue is further down the chain.
The team is aware of connectivity issues in GitHub Actions. Your report helps us prioritize, especially given the scale of your deployment.
Tks for your supports @deanrie
I want give some additional information
Full Response from cursor-agent
⚠ Warning: The provided API key is invalid.
Please check you have the right key, create a new one, or authenticate without it.
cursor-agent status
✓ Login successful!
Logged in (unable to fetch user details)
I load key by secrets variable of github setting (key still be loaded successfully during workflow)
Full command use CLI cursor-agent --api-key "$CURSOR_API_KEY" --force --model "$MODEL" --output-format=text --print "You are operating in a GitHub Actions runner performing automated code review. The gh CLI is available and authenticated via GH_TOKEN. You may comment on pull requests.
We got this problem from about last week ago, not today
Interesting detail: cursor-agent status shows “Login successful!” but also “unable to fetch user details”. That points to a partial connectivity issue, not a fully invalid key.
There’s a known issue with the TLS handshake between GitHub runners and our API (api2.cursor.sh). This looks like your case. The key is valid (works locally), but the CI run fails.
A couple questions:
Which runner are you using, GitHub-hosted or self-hosted?
Can you add this to your workflow before the main command?
curl -v https://api2.cursor.sh/health 2>&1 | head -30
This will show if there are TLS handshake problems.
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above
SSL certificate problem: self-signed certificate in certificate chain
This isn’t an API key issue. Your self-hosted runner is going through a corporate proxy with SSL inspection, which injects its own certificate. Cursor CLI can’t verify the connection to api2.cursor.sh because it’s not seeing our certificate, it’s seeing your corporate CA.
Fix: add your corporate CA certificate to the runner’s trust store:
Get the corporate CA certificate from your IT/security team.