From b3513d482b081fd55513351f1a2700d5c5001acf Mon Sep 17 00:00:00 2001
From: De Clercq Wentzel <10665586+wentzeld@users.noreply.github.com>
Date: Tue, 28 Apr 2026 17:01:02 -0700
Subject: [PATCH 1/4] docs(cre): document private registry, control plane, and
deployment-registry breaking change
---
.../getting-started/before-you-build-go.mdx | 4 +-
.../getting-started/before-you-build-ts.mdx | 4 +-
.../part-1-project-setup-go.mdx | 2 +-
.../part-1-project-setup-ts.mdx | 2 +-
.../guides/operations/deploying-workflows.mdx | 85 ++++++-
.../secrets/using-secrets-deployed.mdx | 19 +-
src/content/cre/key-terms.mdx | 9 +
src/content/cre/llms-full-go.txt | 211 +++++++++++++++---
src/content/cre/llms-full-ts.txt | 211 +++++++++++++++---
src/content/cre/reference/cli/registry.mdx | 6 +
src/content/cre/reference/cli/secrets.mdx | 47 ++--
.../reference/project-configuration-go.mdx | 25 ++-
.../reference/project-configuration-ts.mdx | 25 ++-
src/content/cre/release-notes.mdx | 15 ++
14 files changed, 550 insertions(+), 115 deletions(-)
diff --git a/src/content/cre/getting-started/before-you-build-go.mdx b/src/content/cre/getting-started/before-you-build-go.mdx
index 1ae8628f26e..300283bd2a3 100644
--- a/src/content/cre/getting-started/before-you-build-go.mdx
+++ b/src/content/cre/getting-started/before-you-build-go.mdx
@@ -56,8 +56,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Connect your wallet to your organization
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
+1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/before-you-build-ts.mdx b/src/content/cre/getting-started/before-you-build-ts.mdx
index bad30a330e6..01cf2e63c90 100644
--- a/src/content/cre/getting-started/before-you-build-ts.mdx
+++ b/src/content/cre/getting-started/before-you-build-ts.mdx
@@ -122,8 +122,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Connect your wallet to your organization
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
+1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/part-1-project-setup-go.mdx b/src/content/cre/getting-started/part-1-project-setup-go.mdx
index 87452c132af..0e0bfc78622 100644
--- a/src/content/cre/getting-started/part-1-project-setup-go.mdx
+++ b/src/content/cre/getting-started/part-1-project-setup-go.mdx
@@ -34,7 +34,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Go**: You must have Go version 1.25.3 or higher installed. Check your version with faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
diff --git a/src/content/cre/getting-started/part-1-project-setup-ts.mdx b/src/content/cre/getting-started/part-1-project-setup-ts.mdx
index 74837dc30fb..fdb7e6e3546 100644
--- a/src/content/cre/getting-started/part-1-project-setup-ts.mdx
+++ b/src/content/cre/getting-started/part-1-project-setup-ts.mdx
@@ -34,7 +34,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Bun**: You must have Bun version 1.2.21 or higher installed. Check your version with faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
diff --git a/src/content/cre/guides/operations/deploying-workflows.mdx b/src/content/cre/guides/operations/deploying-workflows.mdx
index 576187cfe75..0691a43079a 100644
--- a/src/content/cre/guides/operations/deploying-workflows.mdx
+++ b/src/content/cre/guides/operations/deploying-workflows.mdx
@@ -18,7 +18,21 @@ import { Aside } from "@components"
-When you deploy a workflow, you take your locally tested code and register it with the onchain Workflow Registry contract. This makes your workflow "live" so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don).
+{/* prettier-ignore */}
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+```yaml
+user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+```
+
+See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+
+
+
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
## Prerequisites
@@ -26,8 +40,61 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **[Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Linked your EOA or multi-sig wallet to your account by running `cre account link-key`.
-- **A funded wallet**: The account you are deploying from must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain registration transaction to the Workflow Registry contract.
+- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
+- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+
+## Choosing your registry
+
+Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
+
+### Control plane: web3 key vs. auth-only
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+
+- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
+- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+
+Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+
+### Managing with a web3 key
+
+Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
+
+1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
+2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
+3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
+4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+### Managing with auth only
+
+Use this flow when `deployment-registry: "private"` (the default):
+
+1. Log in once with `cre login`.
+2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
+3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
+
+If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -35,7 +102,9 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
1. **Compiles** your workflow to a WASM binary.
1. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-1. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). This transaction contains the metadata for your workflow, including its name, owner, and the URL of its artifacts in the storage service.
+1. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
+ - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
+ - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
{/* prettier-ignore */}
@@ -144,11 +213,13 @@ Details:
## Verifying your deployment
-After a successful deployment, you can verify that your workflow was registered correctly in two ways:
+After a successful deployment, you can verify that your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history.
+1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-1. **Block Explorer**: Check the Workflow Registry contract on a block explorer. The CLI output will provide the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at the address `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+1. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
diff --git a/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx b/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
index 7aba4836364..d2a44add811 100644
--- a/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
+++ b/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
@@ -25,7 +25,24 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
1. **Authentication**: You must be logged in with `cre login`
-1. **Owner address configured**: Your `workflow-owner-address` must be set in your project configuration
+1. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+
+## Auth modes: web3 key vs. browser auth
+
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+
+You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
+
+```bash
+# Web3-keyed (on-chain registry)
+cre secrets create production-secrets.yaml --target production-settings
+
+# Browser auth (private registry / org-owned)
+cre secrets create production-secrets.yaml --target staging-settings --secrets-auth=browser
+```
## How secrets work with deployed workflows
diff --git a/src/content/cre/key-terms.mdx b/src/content/cre/key-terms.mdx
index 7ee64e98698..e0142d2eee1 100644
--- a/src/content/cre/key-terms.mdx
+++ b/src/content/cre/key-terms.mdx
@@ -22,6 +22,15 @@ The all-in-one orchestration layer unlocking institutional-grade smart contracts
A decentralized, peer-to-peer network of independent nodes that work together to execute a specific task. In CRE, there are two primary types of DONs: **Workflow DONs** that orchestrates the workflow, and specialized **Capability DONs** that execute specific tasks like blockchain interactions.
+### Control plane
+
+How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
+
+- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+
## Workflow architecture
### Workflow
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index bbf859afeba..b78a11f6631 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -163,6 +163,15 @@ The all-in-one orchestration layer unlocking institutional-grade smart contracts
A decentralized, peer-to-peer network of independent nodes that work together to execute a specific task. In CRE, there are two primary types of DONs: **Workflow DONs** that orchestrates the workflow, and specialized **Capability DONs** that execute specific tasks like blockchain interactions.
+### Control plane
+
+How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
+
+- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+
## Workflow architecture
### Workflow
@@ -452,6 +461,21 @@ Last Updated: 2026-04-24
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v1.13.0 - April 28, 2026
+
+**CRE CLI version 1.13.0 is now available.**
+
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When you run any CRE command, the CLI will automatically detect if a newer version is available and prompt you to update. Simply run `cre update` to install the latest version.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
+[See all changes on GitHub](https://github.com/smartcontractkit/cre-cli/compare/v1.12.0...v1.13.0)
+
## CLI v1.12.0 - April 23, 2026
**CRE CLI version 1.12.0 is now available.**
@@ -4719,7 +4743,24 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
2. **Authentication**: You must be logged in with `cre login`
-3. **Owner address configured**: Your `workflow-owner-address` must be set in your project configuration
+3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+
+## Auth modes: web3 key vs. browser auth
+
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+
+You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
+
+```bash
+# Web3-keyed (on-chain registry)
+cre secrets create production-secrets.yaml --target production-settings
+
+# Browser auth (private registry / org-owned)
+cre secrets create production-secrets.yaml --target staging-settings --secrets-auth=browser
+```
## How secrets work with deployed workflows
@@ -5751,7 +5792,20 @@ Last Updated: 2026-03-17
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-When you deploy a workflow, you take your locally tested code and register it with the onchain Workflow Registry contract. This makes your workflow "live" so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don).
+
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+ ```yaml
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ ```
+
+ See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+
+
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
## Prerequisites
@@ -5759,8 +5813,61 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **[Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Linked your EOA or multi-sig wallet to your account by running `cre account link-key`.
-- **A funded wallet**: The account you are deploying from must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain registration transaction to the Workflow Registry contract.
+- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
+- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+
+## Choosing your registry
+
+Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
+
+### Control plane: web3 key vs. auth-only
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+
+- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
+- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+
+Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+
+### Managing with a web3 key
+
+Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
+
+1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
+2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
+3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
+4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+### Managing with auth only
+
+Use this flow when `deployment-registry: "private"` (the default):
+
+1. Log in once with `cre login`.
+2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
+3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
+
+If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -5768,7 +5875,9 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
1. **Compiles** your workflow to a WASM binary.
2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-3. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). This transaction contains the metadata for your workflow, including its name, owner, and the URL of its artifacts in the storage service.
+3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
+ - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
+ - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
@@ -5877,11 +5986,13 @@ Details:
## Verifying your deployment
-After a successful deployment, you can verify that your workflow was registered correctly in two ways:
+After a successful deployment, you can verify that your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history.
+2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-2. **Block Explorer**: Check the Workflow Registry contract on a block explorer. The CLI output will provide the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at the address `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+3. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
@@ -9259,8 +9370,14 @@ ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
```
+The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+
If no registries are found for your environment, the command prints a warning and exits cleanly.
## Learn more
@@ -9282,6 +9399,15 @@ Last Updated: 2026-04-10
The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized Oracle Network) for deployed workflows. These commands allow you to create, update, delete, and list secrets that your workflows can access at runtime.
+## Auth modes
+
+`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
+
+Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
+
## Authorization flow
Starting with CLI v1.9.0, secrets operations use a **browser-based OAuth (PKCE) flow** to authorize Vault DON access:
@@ -9347,10 +9473,11 @@ cre secrets create [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9410,10 +9537,11 @@ cre secrets update [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9454,10 +9582,11 @@ cre secrets delete [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9497,11 +9626,12 @@ cre secrets list [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------- | -------- | -------- | --------------------------------------------------------------- |
-| `--namespace` | string | `"main"` | Namespace to list secrets from |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--namespace` | string | `"main"` | Namespace to list secrets from |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Example
@@ -10154,8 +10284,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Connect your wallet to your organization
-2. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
+2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10304,7 +10434,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Go**: You must have Go version 1.25.3 or higher installed. Check your version with go version. See [Install Go](https://go.dev/doc/install) for instructions.
-- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Go to faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
@@ -16316,11 +16446,20 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
+ If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
+ "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
+ deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
+ Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
+ deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -16330,6 +16469,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -16338,13 +16478,14 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index e5f4059a987..d0b97c32b50 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -163,6 +163,15 @@ The all-in-one orchestration layer unlocking institutional-grade smart contracts
A decentralized, peer-to-peer network of independent nodes that work together to execute a specific task. In CRE, there are two primary types of DONs: **Workflow DONs** that orchestrates the workflow, and specialized **Capability DONs** that execute specific tasks like blockchain interactions.
+### Control plane
+
+How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
+
+- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+
## Workflow architecture
### Workflow
@@ -452,6 +461,21 @@ Last Updated: 2026-04-24
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v1.13.0 - April 28, 2026
+
+**CRE CLI version 1.13.0 is now available.**
+
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When you run any CRE command, the CLI will automatically detect if a newer version is available and prompt you to update. Simply run `cre update` to install the latest version.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
+[See all changes on GitHub](https://github.com/smartcontractkit/cre-cli/compare/v1.12.0...v1.13.0)
+
## CLI v1.12.0 - April 23, 2026
**CRE CLI version 1.12.0 is now available.**
@@ -4039,7 +4063,24 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
2. **Authentication**: You must be logged in with `cre login`
-3. **Owner address configured**: Your `workflow-owner-address` must be set in your project configuration
+3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+
+## Auth modes: web3 key vs. browser auth
+
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+
+You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
+
+```bash
+# Web3-keyed (on-chain registry)
+cre secrets create production-secrets.yaml --target production-settings
+
+# Browser auth (private registry / org-owned)
+cre secrets create production-secrets.yaml --target staging-settings --secrets-auth=browser
+```
## How secrets work with deployed workflows
@@ -4850,7 +4891,20 @@ Last Updated: 2026-03-17
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-When you deploy a workflow, you take your locally tested code and register it with the onchain Workflow Registry contract. This makes your workflow "live" so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don).
+
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+ ```yaml
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ ```
+
+ See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+
+
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
## Prerequisites
@@ -4858,8 +4912,61 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **[Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Linked your EOA or multi-sig wallet to your account by running `cre account link-key`.
-- **A funded wallet**: The account you are deploying from must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain registration transaction to the Workflow Registry contract.
+- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
+- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+
+## Choosing your registry
+
+Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
+
+### Control plane: web3 key vs. auth-only
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+
+- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
+- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+
+Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+
+### Managing with a web3 key
+
+Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
+
+1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
+2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
+3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
+4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+### Managing with auth only
+
+Use this flow when `deployment-registry: "private"` (the default):
+
+1. Log in once with `cre login`.
+2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
+3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
+
+If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -4867,7 +4974,9 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
1. **Compiles** your workflow to a WASM binary.
2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-3. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). This transaction contains the metadata for your workflow, including its name, owner, and the URL of its artifacts in the storage service.
+3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
+ - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
+ - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
@@ -4976,11 +5085,13 @@ Details:
## Verifying your deployment
-After a successful deployment, you can verify that your workflow was registered correctly in two ways:
+After a successful deployment, you can verify that your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history.
+2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-2. **Block Explorer**: Check the Workflow Registry contract on a block explorer. The CLI output will provide the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at the address `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+3. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
@@ -8872,8 +8983,14 @@ ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
```
+The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+
If no registries are found for your environment, the command prints a warning and exits cleanly.
## Learn more
@@ -8895,6 +9012,15 @@ Last Updated: 2026-04-10
The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized Oracle Network) for deployed workflows. These commands allow you to create, update, delete, and list secrets that your workflows can access at runtime.
+## Auth modes
+
+`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
+
+Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
+
## Authorization flow
Starting with CLI v1.9.0, secrets operations use a **browser-based OAuth (PKCE) flow** to authorize Vault DON access:
@@ -8960,10 +9086,11 @@ cre secrets create [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9023,10 +9150,11 @@ cre secrets update [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9067,10 +9195,11 @@ cre secrets delete [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -9110,11 +9239,12 @@ cre secrets list [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------- | -------- | -------- | --------------------------------------------------------------- |
-| `--namespace` | string | `"main"` | Namespace to list secrets from |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--namespace` | string | `"main"` | Namespace to list secrets from |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | *auto* | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Example
@@ -10047,8 +10177,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Connect your wallet to your organization
-2. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
+2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10197,7 +10327,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Bun**: You must have Bun version 1.2.21 or higher installed. Check your version with bun --version. See [Install Bun](https://bun.com) for instructions.
-- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Go to faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
@@ -16174,11 +16304,20 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
+ If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
+ "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
+ deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
+ Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
+ deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -16188,6 +16327,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -16196,13 +16336,14 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
diff --git a/src/content/cre/reference/cli/registry.mdx b/src/content/cre/reference/cli/registry.mdx
index dd3edc9e77d..277c393f87d 100644
--- a/src/content/cre/reference/cli/registry.mdx
+++ b/src/content/cre/reference/cli/registry.mdx
@@ -47,8 +47,14 @@ ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
```
+The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+
If no registries are found for your environment, the command prints a warning and exits cleanly.
## Learn more
diff --git a/src/content/cre/reference/cli/secrets.mdx b/src/content/cre/reference/cli/secrets.mdx
index 1dc9db42f98..d5f9b6f2069 100644
--- a/src/content/cre/reference/cli/secrets.mdx
+++ b/src/content/cre/reference/cli/secrets.mdx
@@ -18,6 +18,15 @@ import { Aside } from "@components"
The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized Oracle Network) for deployed workflows. These commands allow you to create, update, delete, and list secrets that your workflows can access at runtime.
+## Auth modes
+
+`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+
+- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
+
+Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
+
## Authorization flow
Starting with CLI v1.9.0, secrets operations use a **browser-based OAuth (PKCE) flow** to authorize Vault DON access:
@@ -83,10 +92,11 @@ cre secrets create [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | _auto_ | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -146,10 +156,11 @@ cre secrets update [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | _auto_ | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -190,10 +201,11 @@ cre secrets delete [SECRETS_FILE_PATH] [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------ | -------- | ------- | --------------------------------------------------------------- |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | _auto_ | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Input file format
@@ -233,11 +245,12 @@ cre secrets list [flags]
### Flags
-| Flag | Type | Default | Description |
-| ------------- | -------- | -------- | --------------------------------------------------------------- |
-| `--namespace` | string | `"main"` | Namespace to list secrets from |
-| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
-| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| Flag | Type | Default | Description |
+| ---------------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--namespace` | string | `"main"` | Namespace to list secrets from |
+| `--timeout` | duration | `48h` | Timeout for the operation (e.g., `30m`, `2h`, `48h`). Max: `7d` |
+| `--unsigned` | boolean | `false` | Generate raw transaction data for multi-sig wallets |
+| `--secrets-auth` | string | _auto_ | Authorization mode. Set to `browser` to authorize via browser-based OAuth (PKCE) using your CRE login session. See [Auth modes](#auth-modes). |
### Example
diff --git a/src/content/cre/reference/project-configuration-go.mdx b/src/content/cre/reference/project-configuration-go.mdx
index b9c93a88de1..5affc92515c 100644
--- a/src/content/cre/reference/project-configuration-go.mdx
+++ b/src/content/cre/reference/project-configuration-go.mdx
@@ -131,11 +131,20 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
+ If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
+ "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
+ deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
+ Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
+ deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -145,6 +154,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -153,13 +163,14 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
diff --git a/src/content/cre/reference/project-configuration-ts.mdx b/src/content/cre/reference/project-configuration-ts.mdx
index 024ffe1765b..72d3866b635 100644
--- a/src/content/cre/reference/project-configuration-ts.mdx
+++ b/src/content/cre/reference/project-configuration-ts.mdx
@@ -136,11 +136,20 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
+
+ Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
+ If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
+ "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
+ deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
+ Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
+ deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -150,6 +159,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -158,13 +168,14 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
diff --git a/src/content/cre/release-notes.mdx b/src/content/cre/release-notes.mdx
index 49a6a7f1502..9c8007fb657 100644
--- a/src/content/cre/release-notes.mdx
+++ b/src/content/cre/release-notes.mdx
@@ -12,6 +12,21 @@ import { Aside } from "@components"
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v1.13.0 - April 28, 2026
+
+**CRE CLI version 1.13.0 is now available.**
+
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When you run any CRE command, the CLI will automatically detect if a newer version is available and prompt you to update. Simply run `cre update` to install the latest version.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
+[See all changes on GitHub](https://github.com/smartcontractkit/cre-cli/compare/v1.12.0...v1.13.0)
+
## CLI v1.12.0 - April 23, 2026
**CRE CLI version 1.12.0 is now available.**
From e74a84e51b3853e0586fcadf1445ef2f65427978 Mon Sep 17 00:00:00 2001
From: devin distefano
Date: Thu, 30 Apr 2026 19:29:10 -0500
Subject: [PATCH 2/4] updates
---
.../getting-started/before-you-build-go.mdx | 4 +-
.../getting-started/before-you-build-ts.mdx | 4 +-
.../part-1-project-setup-go.mdx | 2 +-
.../part-1-project-setup-ts.mdx | 2 +-
.../activating-pausing-workflows.mdx | 26 +-
.../guides/operations/deleting-workflows.mdx | 24 +-
.../guides/operations/deploying-workflows.mdx | 201 +++++++-
.../updating-deployed-workflows.mdx | 13 +-
.../secrets/using-secrets-deployed.mdx | 10 +-
src/content/cre/key-terms.mdx | 18 +-
src/content/cre/llms-full-go.txt | 447 +++++++++++++-----
src/content/cre/llms-full-ts.txt | 447 +++++++++++++-----
src/content/cre/organization/linking-keys.mdx | 18 +-
src/content/cre/reference/cli/account.mdx | 6 +-
src/content/cre/reference/cli/index.mdx | 14 +-
src/content/cre/reference/cli/registry.mdx | 15 +-
src/content/cre/reference/cli/secrets.mdx | 8 +-
src/content/cre/reference/cli/workflow.mdx | 34 +-
.../reference/project-configuration-go.mdx | 43 +-
.../reference/project-configuration-ts.mdx | 43 +-
src/content/cre/release-notes.mdx | 17 +-
21 files changed, 997 insertions(+), 399 deletions(-)
diff --git a/src/content/cre/getting-started/before-you-build-go.mdx b/src/content/cre/getting-started/before-you-build-go.mdx
index 300283bd2a3..4ab8e6db38d 100644
--- a/src/content/cre/getting-started/before-you-build-go.mdx
+++ b/src/content/cre/getting-started/before-you-build-go.mdx
@@ -56,8 +56,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
-1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
+1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/before-you-build-ts.mdx b/src/content/cre/getting-started/before-you-build-ts.mdx
index 01cf2e63c90..c322b79677c 100644
--- a/src/content/cre/getting-started/before-you-build-ts.mdx
+++ b/src/content/cre/getting-started/before-you-build-ts.mdx
@@ -122,8 +122,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
-1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
+1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/part-1-project-setup-go.mdx b/src/content/cre/getting-started/part-1-project-setup-go.mdx
index 0e0bfc78622..d70935a9e87 100644
--- a/src/content/cre/getting-started/part-1-project-setup-go.mdx
+++ b/src/content/cre/getting-started/part-1-project-setup-go.mdx
@@ -34,7 +34,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Go**: You must have Go version 1.25.3 or higher installed. Check your version with faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
diff --git a/src/content/cre/getting-started/part-1-project-setup-ts.mdx b/src/content/cre/getting-started/part-1-project-setup-ts.mdx
index fdb7e6e3546..fe05c56722d 100644
--- a/src/content/cre/getting-started/part-1-project-setup-ts.mdx
+++ b/src/content/cre/getting-started/part-1-project-setup-ts.mdx
@@ -34,7 +34,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Bun**: You must have Bun version 1.2.21 or higher installed. Check your version with faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
diff --git a/src/content/cre/guides/operations/activating-pausing-workflows.mdx b/src/content/cre/guides/operations/activating-pausing-workflows.mdx
index 7d30817d2d0..037c2be35a7 100644
--- a/src/content/cre/guides/operations/activating-pausing-workflows.mdx
+++ b/src/content/cre/guides/operations/activating-pausing-workflows.mdx
@@ -10,7 +10,7 @@ metadata:
import { Aside } from "@components"
-After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the Workflow Registry contract, determining whether it can respond to triggers.
+After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the registry selected by `deployment-registry`, determining whether it can respond to triggers.
**Workflow states:**
@@ -21,11 +21,12 @@ After deploying a workflow, you can control its operational state using the `cre
Before activating or pausing workflows, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can activate or pause it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -46,15 +47,16 @@ cre workflow activate my-workflow --target production-settings
The CLI identifies which workflow to activate based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during activation
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
1. It validates that the workflow is currently paused
-1. If valid, it sends an onchain transaction to change the status to active
+1. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow activate my-workflow --target production-settings
@@ -114,11 +116,11 @@ cre workflow pause my-workflow --target production-settings
### What happens during pausing
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
1. It validates that the workflow is currently active
-1. If valid, it sends an onchain transaction to change the status to paused
+1. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow pause my-workflow --target production-settings
@@ -162,7 +164,7 @@ Details:
## Using multi-sig wallets
-Both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
diff --git a/src/content/cre/guides/operations/deleting-workflows.mdx b/src/content/cre/guides/operations/deleting-workflows.mdx
index 826b3a69070..8446e5be519 100644
--- a/src/content/cre/guides/operations/deleting-workflows.mdx
+++ b/src/content/cre/guides/operations/deleting-workflows.mdx
@@ -3,24 +3,25 @@ section: cre
date: Last Modified
title: "Deleting Workflows"
metadata:
- description: "Remove workflows permanently: learn how to safely delete deployed workflows from the Workflow Registry when no longer needed."
+ description: "Remove workflows permanently: learn how to safely delete deployed workflows from their configured registry when no longer needed."
datePublished: "2025-11-04"
lastModified: "2025-11-04"
---
import { Aside } from "@components"
-Deleting a workflow permanently removes it from the Workflow Registry contract. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
+Deleting a workflow permanently removes it from the registry selected by `deployment-registry`. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
## Prerequisites
Before deleting a workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can delete it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -33,21 +34,22 @@ cre workflow delete my-workflow --target production-settings
The CLI identifies which workflow to delete based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during deletion
-1. The CLI fetches all workflows matching your workflow name and owner address
+1. The CLI fetches all workflows matching your workflow name and configured registry authorization
1. It displays details about the workflow(s) to be deleted
1. It prompts you to confirm by typing the workflow name
-1. Once confirmed, it sends an onchain transaction to delete the workflow from the Workflow Registry
+1. Once confirmed, it deletes the workflow from the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
{/* prettier-ignore */}
- **This action cannot be undone.** Once a workflow is deleted from the Workflow Registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
+ **This action cannot be undone.** Once a workflow is deleted from its configured registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
-### Example output
+### Example onchain registry output
```bash
> cre workflow delete my-workflow --target production-settings
@@ -105,7 +107,7 @@ cre workflow delete my-workflow --yes --target production-settings
## Using multi-sig wallets
-The `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
diff --git a/src/content/cre/guides/operations/deploying-workflows.mdx b/src/content/cre/guides/operations/deploying-workflows.mdx
index 0691a43079a..6fec455e5b1 100644
--- a/src/content/cre/guides/operations/deploying-workflows.mdx
+++ b/src/content/cre/guides/operations/deploying-workflows.mdx
@@ -19,20 +19,48 @@ import { Aside } from "@components"
{/* prettier-ignore */}
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+ Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
+ `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
+ field when you want a different registry, such as the public onchain Workflow Registry.
+
+Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
+
+```text
+Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+Run "cre registry list" to see your available registries.
+```
+
+Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
```yaml
user-workflow:
workflow-name: "my-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet"
+ deployment-registry: "private"
```
-See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+
+- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+
+This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+
+{/* prettier-ignore */}
+
+ A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+
## Prerequisites
@@ -40,8 +68,9 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
-- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
+- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
## Choosing your registry
@@ -58,24 +87,28 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-### Control plane: web3 key vs. auth-only
+### Private vs. public workflow management
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
+| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
+| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
+| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
-- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
### Managing with a web3 key
@@ -88,13 +121,106 @@ Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
### Managing with auth only
-Use this flow when `deployment-registry: "private"` (the default):
+Use this flow when `deployment-registry: "private"`:
1. Log in once with `cre login`.
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+
+## Migrate an existing workflow
+
+CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
+
+### Who is affected
+
+You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+After upgrading, the CLI reports the missing field and points to the target that needs the update:
+
+```text
+Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+Run "cre registry list" to see your available registries.
+```
+
+Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
+
+### Step 1: List available registries
+
+Log in, then list the registries available to your organization:
+
+```bash
+cre login
+cre registry list
+```
+
+Use the `ID` value from the output in `workflow.yaml`.
+
+### Step 2: Choose public or private workflow management
+
+Choose the registry that matches how you want to manage the workflow:
+
+- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
+- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
+
+The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
+
+### Step 3: Update affected targets
+
+Add `deployment-registry` under `user-workflow` for each target that is missing it.
+
+**Keep an existing workflow on the public onchain registry:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+**Use the private registry for workflow management:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+Repeat this for `production-settings` and any other target that needs migration.
+
+### Step 4: Re-run the command
+
+After the YAML is updated, rerun the command that failed:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
## The deployment process
@@ -104,7 +230,7 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
1. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
1. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
+ - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
{/* prettier-ignore */}
@@ -113,9 +239,9 @@ Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` is required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
-If you are deploying from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
@@ -150,7 +276,9 @@ cre workflow deploy my-workflow --target production-settings
### Step 3: Monitor the output
-The CLI will provide detailed logs of the deployment process, including the compilation, upload to the CRE Storage Service, and the final onchain transaction.
+The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
+
+**Example onchain registry output:**
```bash
> cre workflow deploy my-workflow --target production-settings
@@ -211,6 +339,37 @@ Details:
Config URL: https://storage.cre.example.com/artifacts//config
```
+**Example private/offchain registry output:**
+
+```bash
+> cre workflow deploy my-workflow --target staging-settings
+
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
## Verifying your deployment
After a successful deployment, you can verify that your workflow was registered correctly:
@@ -219,7 +378,7 @@ After a successful deployment, you can verify that your workflow was registered
1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-1. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+1. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
diff --git a/src/content/cre/guides/operations/updating-deployed-workflows.mdx b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
index d3ce1a4b47c..05c586e27f5 100644
--- a/src/content/cre/guides/operations/updating-deployed-workflows.mdx
+++ b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
@@ -10,7 +10,7 @@ metadata:
import { Aside } from "@components"
-When you update a deployed workflow, you redeploy it with the same workflow name. The new deployment replaces the previous version in the Workflow Registry contract. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
+When you update a deployed workflow, you redeploy it with the same workflow name and the same `deployment-registry` target. The new deployment replaces the previous version in that registry. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
{/* prettier-ignore */}
@@ -21,11 +21,12 @@ When you update a deployed workflow, you redeploy it with the same workflow name
Before updating a deployed workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can update it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -39,7 +40,7 @@ cre workflow deploy my-workflow --target production-settings
1. **Compilation**: Your updated workflow code is compiled to WASM
1. **Upload**: The new binary and configuration files are uploaded to the CRE Storage Service
-1. **Registration**: A new registration transaction is sent to the Workflow Registry contract
+1. **Registration**: The new workflow version is registered with the target's configured registry. For `onchain:ethereum-mainnet`, this sends a transaction to the Workflow Registry contract. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
1. **Replacement**: The previous version is replaced with the new deployment
1. **Status preserved**: The workflow's status (active or paused) is preserved from the previous deployment
@@ -62,7 +63,7 @@ cre workflow deploy my-workflow --target production-settings
## Using multi-sig wallets
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
diff --git a/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx b/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
index d2a44add811..52a91e8b010 100644
--- a/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
+++ b/src/content/cre/guides/workflow/secrets/using-secrets-deployed.mdx
@@ -25,19 +25,19 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
1. **Authentication**: You must be logged in with `cre login`
-1. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+1. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the onchain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
## Auth modes: web3 key vs. browser auth
-`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
-- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+- **Web3-keyed.** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry, or when your team manages secrets at the organization level rather than per-wallet.
You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
```bash
-# Web3-keyed (on-chain registry)
+# Web3-keyed (onchain registry)
cre secrets create production-secrets.yaml --target production-settings
# Browser auth (private registry / org-owned)
diff --git a/src/content/cre/key-terms.mdx b/src/content/cre/key-terms.mdx
index e0142d2eee1..78a4bec8eff 100644
--- a/src/content/cre/key-terms.mdx
+++ b/src/content/cre/key-terms.mdx
@@ -26,11 +26,25 @@ A decentralized, peer-to-peer network of independent nodes that work together to
How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
-- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+### Public workflow
+
+A workflow whose lifecycle is managed through the public onchain Workflow Registry. In `workflow.yaml`, this is selected with `deployment-registry: "onchain:ethereum-mainnet"`.
+
+### Private workflow
+
+A workflow whose lifecycle is managed through the Chainlink-hosted private registry. In `workflow.yaml`, this is selected with `deployment-registry: "private"`. Private workflow management is centralized and offchain.
+
+Private does not mean confidential. A private workflow uses a private registry for management, but its execution is not confidential unless it explicitly uses a confidential execution feature or capability.
+
+### Confidential workflow or confidential execution
+
+Execution that uses a confidential runtime, TEE, enclave, or confidential capability to protect data during execution. This is separate from registry selection. Confidential execution does not require the private registry, and a workflow can use confidential execution while still being managed through the public onchain registry.
+
## Workflow architecture
### Workflow
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index b78a11f6631..fc8897eb6b2 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -167,11 +167,25 @@ A decentralized, peer-to-peer network of independent nodes that work together to
How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
-- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+### Public workflow
+
+A workflow whose lifecycle is managed through the public onchain Workflow Registry. In `workflow.yaml`, this is selected with `deployment-registry: "onchain:ethereum-mainnet"`.
+
+### Private workflow
+
+A workflow whose lifecycle is managed through the Chainlink-hosted private registry. In `workflow.yaml`, this is selected with `deployment-registry: "private"`. Private workflow management is centralized and offchain.
+
+Private does not mean confidential. A private workflow uses a private registry for management, but its execution is not confidential unless it explicitly uses a confidential execution feature or capability.
+
+### Confidential workflow or confidential execution
+
+Execution that uses a confidential runtime, TEE, enclave, or confidential capability to protect data during execution. This is separate from registry selection. Confidential execution does not require the private registry, and a workflow can use confidential execution while still being managed through the public onchain registry.
+
## Workflow architecture
### Workflow
@@ -461,13 +475,26 @@ Last Updated: 2026-04-24
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v2.0.0 - Upcoming
+
+The next major CRE CLI release updates workflow configuration behavior for private registry deployments.
+
+- **Private registry by default for generated workflows**: New workflow targets generated by CRE CLI v2.0.0 include `deployment-registry: "private"` under `user-workflow`, so new deployments use the Chainlink-hosted private registry unless you choose another registry.
+- **Existing onchain workflows should pin the onchain registry**: Existing users whose workflows were deployed through the public onchain Workflow Registry should add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before redeploying or updating. This keeps those workflows on the public onchain registry instead of moving management to the private registry.
+- **Migration error for older workflow files**: Existing `workflow.yaml` files created before `deployment-registry` existed may fail after upgrade with a clear error such as `"deployment-registry" is required in target "staging-settings"`. Existing deployed workflows continue running, but redeploy and workflow-management commands may require the config update. Use `deployment-registry: "private"` for Chainlink-hosted private registry management. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When CLI v2.0.0 is available, the CLI will detect the newer version and prompt you to update. Run `cre update` to install it.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
## CLI v1.13.0 - April 28, 2026
**CRE CLI version 1.13.0 is now available.**
-- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the onchain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
-- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the onchain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
**How to update:**
@@ -4743,19 +4770,19 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
2. **Authentication**: You must be logged in with `cre login`
-3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the onchain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
## Auth modes: web3 key vs. browser auth
-`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
-- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+- **Web3-keyed.** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry, or when your team manages secrets at the organization level rather than per-wallet.
You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
```bash
-# Web3-keyed (on-chain registry)
+# Web3-keyed (onchain registry)
cre secrets create production-secrets.yaml --target production-settings
# Browser auth (private registry / org-owned)
@@ -5793,19 +5820,47 @@ Last Updated: 2026-03-17
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+ Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
+ `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
+ field when you want a different registry, such as the public onchain Workflow Registry.
+
+ Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
+
+ ```text
+ Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+ Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+ Run "cre registry list" to see your available registries.
+ ```
+
+ Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
```yaml
user-workflow:
workflow-name: "my-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet"
+ deployment-registry: "private"
```
- See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+ See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+
+- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+
+This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+
+
+
+ A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+
## Prerequisites
@@ -5813,8 +5868,9 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
-- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
+- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
## Choosing your registry
@@ -5831,24 +5887,28 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-### Control plane: web3 key vs. auth-only
+### Private vs. public workflow management
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
+| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
+| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
+| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
-- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
### Managing with a web3 key
@@ -5861,13 +5921,106 @@ Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
### Managing with auth only
-Use this flow when `deployment-registry: "private"` (the default):
+Use this flow when `deployment-registry: "private"`:
1. Log in once with `cre login`.
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+
+## Migrate an existing workflow
+
+CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
+
+### Who is affected
+
+You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+After upgrading, the CLI reports the missing field and points to the target that needs the update:
+
+```text
+Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+Run "cre registry list" to see your available registries.
+```
+
+Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
+
+### Step 1: List available registries
+
+Log in, then list the registries available to your organization:
+
+```bash
+cre login
+cre registry list
+```
+
+Use the `ID` value from the output in `workflow.yaml`.
+
+### Step 2: Choose public or private workflow management
+
+Choose the registry that matches how you want to manage the workflow:
+
+- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
+- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
+
+The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
+
+### Step 3: Update affected targets
+
+Add `deployment-registry` under `user-workflow` for each target that is missing it.
+
+**Keep an existing workflow on the public onchain registry:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+**Use the private registry for workflow management:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+Repeat this for `production-settings` and any other target that needs migration.
+
+### Step 4: Re-run the command
+
+After the YAML is updated, rerun the command that failed:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
## The deployment process
@@ -5877,7 +6030,7 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
+ - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
@@ -5886,9 +6039,9 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` is required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
-If you are deploying from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
@@ -5923,7 +6076,9 @@ cre workflow deploy my-workflow --target production-settings
### Step 3: Monitor the output
-The CLI will provide detailed logs of the deployment process, including the compilation, upload to the CRE Storage Service, and the final onchain transaction.
+The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
+
+**Example onchain registry output:**
```bash
> cre workflow deploy my-workflow --target production-settings
@@ -5984,6 +6139,37 @@ Details:
Config URL: https://storage.cre.example.com/artifacts//config
```
+**Example private/offchain registry output:**
+
+```bash
+> cre workflow deploy my-workflow --target staging-settings
+
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
## Verifying your deployment
After a successful deployment, you can verify that your workflow was registered correctly:
@@ -5992,7 +6178,7 @@ After a successful deployment, you can verify that your workflow was registered
2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-3. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+3. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
@@ -6092,7 +6278,7 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
-After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the Workflow Registry contract, determining whether it can respond to triggers.
+After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the registry selected by `deployment-registry`, determining whether it can respond to triggers.
**Workflow states:**
@@ -6103,11 +6289,12 @@ After deploying a workflow, you can control its operational state using the `cre
Before activating or pausing workflows, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can activate or pause it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -6128,15 +6315,16 @@ cre workflow activate my-workflow --target production-settings
The CLI identifies which workflow to activate based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during activation
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
2. It validates that the workflow is currently paused
-3. If valid, it sends an onchain transaction to change the status to active
+3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow activate my-workflow --target production-settings
@@ -6196,11 +6384,11 @@ cre workflow pause my-workflow --target production-settings
### What happens during pausing
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
2. It validates that the workflow is currently active
-3. If valid, it sends an onchain transaction to change the status to paused
+3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow pause my-workflow --target production-settings
@@ -6244,7 +6432,7 @@ Details:
## Using multi-sig wallets
-Both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -6261,7 +6449,7 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/updating-deployed-workflows
Last Updated: 2026-01-23
-When you update a deployed workflow, you redeploy it with the same workflow name. The new deployment replaces the previous version in the Workflow Registry contract. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
+When you update a deployed workflow, you redeploy it with the same workflow name and the same `deployment-registry` target. The new deployment replaces the previous version in that registry. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
@@ -6272,11 +6460,12 @@ When you update a deployed workflow, you redeploy it with the same workflow name
Before updating a deployed workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can update it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -6290,7 +6479,7 @@ cre workflow deploy my-workflow --target production-settings
1. **Compilation**: Your updated workflow code is compiled to WASM
2. **Upload**: The new binary and configuration files are uploaded to the CRE Storage Service
-3. **Registration**: A new registration transaction is sent to the Workflow Registry contract
+3. **Registration**: The new workflow version is registered with the target's configured registry. For `onchain:ethereum-mainnet`, this sends a transaction to the Workflow Registry contract. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
4. **Replacement**: The previous version is replaced with the new deployment
5. **Status preserved**: The workflow's status (active or paused) is preserved from the previous deployment
@@ -6313,7 +6502,7 @@ cre workflow deploy my-workflow --target production-settings
## Using multi-sig wallets
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -6329,17 +6518,18 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/deleting-workflows
Last Updated: 2025-11-04
-Deleting a workflow permanently removes it from the Workflow Registry contract. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
+Deleting a workflow permanently removes it from the registry selected by `deployment-registry`. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
## Prerequisites
Before deleting a workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can delete it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -6352,21 +6542,22 @@ cre workflow delete my-workflow --target production-settings
The CLI identifies which workflow to delete based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during deletion
-1. The CLI fetches all workflows matching your workflow name and owner address
+1. The CLI fetches all workflows matching your workflow name and configured registry authorization
2. It displays details about the workflow(s) to be deleted
3. It prompts you to confirm by typing the workflow name
-4. Once confirmed, it sends an onchain transaction to delete the workflow from the Workflow Registry
+4. Once confirmed, it deletes the workflow from the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
- **This action cannot be undone.** Once a workflow is deleted from the Workflow Registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
+ **This action cannot be undone.** Once a workflow is deleted from its configured registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
-### Example output
+### Example onchain registry output
```bash
> cre workflow delete my-workflow --target production-settings
@@ -6424,7 +6615,7 @@ cre workflow delete my-workflow --yes --target production-settings
## Using multi-sig wallets
-The `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -7501,16 +7692,18 @@ CRE uses a simple role-based access control system with two roles:
Source: https://docs.chain.link/cre/organization/linking-keys
Last Updated: 2025-11-04
-Before you can deploy workflows, you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages all CRE workflows—associating it with your organization and allowing you to deploy and manage workflows.
+Before you can deploy workflows to the public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`), you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages public CRE workflows—associating it with your organization and allowing you to deploy and manage workflows through the onchain registry.
+
+Private registry workflows (`deployment-registry: "private"`) do not require key linking. They are managed with your CRE login session.
## What is key linking?
-Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the Workflow Registry.
+Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the public onchain Workflow Registry.
**Key benefits:**
- Multiple team members can link their own addresses to the same organization
-- Each linked address can independently deploy and manage workflows
+- Each linked address can independently deploy and manage public onchain registry workflows
- Addresses are labeled for easy identification (e.g., "Production Wallet", "Dev Wallet")
- All linked addresses are visible to organization members via cre account list-key
@@ -7543,7 +7736,7 @@ Before linking a key, ensure you have:
## Linking your first key
-The easiest way to link a key is to let the deployment process handle it automatically. When you first try to [deploy a workflow](/cre/guides/operations/deploying-workflows), the CLI will detect that your address isn't linked and prompt you to link it.
+The easiest way to link a key is to let the deployment process handle it automatically. When you first try to [deploy a workflow](/cre/guides/operations/deploying-workflows) with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI will detect that your address isn't linked and prompt you to link it.
### Automatic linking during deployment
@@ -7625,7 +7818,7 @@ View on explorer: https://etherscan.io/tx/
[OK] web3 address linked to your CRE organization successfully
-→ You can now deploy workflows using this address
+→ You can now deploy public onchain registry workflows using this address
```
## Viewing linked keys
@@ -7769,7 +7962,7 @@ When you run `cre account unlink-key --unsigned` while logged into your CRE orga
Starting unlinking: owner=0x....
✔ Yes
Contract address validation passed
- --unsigned flag detected: transaction not sent on-chain.
+ --unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership unlinking initialized successfully!
@@ -7849,7 +8042,7 @@ Checking existing registrations...
✓ No existing link found for this address
Starting linking: owner=, label=SafeWallet
Contract address validation passed
---unsigned flag detected: transaction not sent on-chain.
+--unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership linking initialized successfully!
@@ -8379,7 +8572,7 @@ Initialize projects and generate contract bindings (Go only).
Manage your linked public key addresses and deployment access.
- **`cre account access`** — Check deployment access status or submit an Early Access request
-- **`cre account link-key`** — Link a public key address to your account
+- **`cre account link-key`** — Link a public key address for public onchain registry operations
- **`cre account list-key`** — List workflow owners linked to your organization
- **`cre account unlink-key`** — Unlink a public key address from your account
@@ -8393,11 +8586,11 @@ Manage workflows throughout their entire lifecycle.
- **`cre workflow build`** — Compile a workflow to a WASM binary (without uploading or deploying)
- **`cre workflow simulate`** — Compile and execute workflows in a local simulation environment
-- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the onchain workflow ID)
-- **`cre workflow deploy`** — Deploy a workflow to the Workflow Registry contract
-- **`cre workflow activate`** — Activate a workflow on the Workflow Registry contract
-- **`cre workflow pause`** — Pause a workflow on the Workflow Registry contract
-- **`cre workflow delete`** — Delete all versions of a workflow from the Workflow Registry
+- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the workflow ID)
+- **`cre workflow deploy`** — Deploy a workflow to the registry selected by `deployment-registry`
+- **`cre workflow activate`** — Activate a workflow in its configured registry
+- **`cre workflow pause`** — Pause a workflow in its configured registry
+- **`cre workflow delete`** — Delete all versions of a workflow from its configured registry
- **`cre workflow custom-build`** — Convert a workflow to use a custom self-compiled WASM build
[View workflow commands →](/cre/reference/cli/workflow)
@@ -8421,7 +8614,7 @@ Manage secrets stored in the Vault DON for use in your workflows.
Inspect the workflow registries available to your organization. A workflow registry is the system that tracks which workflows are registered to your organization and makes them available to the Chainlink DON for execution.
-- **`cre registry list`** — Display the registries configured for your organization, including type and on-chain address
+- **`cre registry list`** — Display the registries configured for your organization, including type and onchain address
[View registry commands →](/cre/reference/cli/registry)
@@ -8613,7 +8806,7 @@ PRODUCTION:
Source: https://docs.chain.link/cre/reference/cli/account
Last Updated: 2026-02-26
-The `cre account` commands manage your linked public key addresses for workflow operations. These commands allow you to link wallet addresses to your CRE account, list linked addresses, and unlink them when needed.
+The `cre account` commands manage linked public key addresses for public onchain registry workflows. Private registry workflows do not require linked keys; they use your CRE login session for workflow management.
@@ -8673,7 +8866,7 @@ Our team will review your request and get back to you via email shortly.
in with the CLI](/cre/account/cli-login) for further details.
-Links a public key address to your account for workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
+Links a public key address to your account for public onchain registry workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
For a complete step-by-step guide with examples, see [Linking Wallet Keys](/cre/organization/linking-keys).
@@ -8950,7 +9143,7 @@ cre workflow simulate [flags]
in with the CLI](/cre/account/cli-login) for further details.
-Deploys a workflow to the Workflow Registry — the onchain contract where workflows are enrolled so the Chainlink DON knows they exist and should run them. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and submits a registration transaction to the registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registry your organization is configured to use.
+Deploys a workflow to the registry selected by `user-workflow.deployment-registry` in `workflow.yaml`. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with either the public onchain Workflow Registry or the Chainlink-hosted private registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registries your organization can use.
**Usage:**
@@ -8970,7 +9163,7 @@ cre workflow deploy [flags]
| `--wasm` | Path to a pre-built WASM binary (skips compilation). Use with [`cre workflow build`](#cre-workflow-build) for CI/CD pipelines |
| `--config` | Override the config file path from `workflow.yaml` |
| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
| `--yes` | Skip the confirmation prompt and proceed with the operation |
| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
@@ -9013,7 +9206,7 @@ For more details, see [Deploying Workflows](/cre/guides/operations/deploying-wor
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to active on the Workflow Registry contract. Active workflows can respond to their configured triggers.
+Changes the workflow status to active in the registry selected by `deployment-registry`. Active workflows can respond to their configured triggers.
**Usage:**
@@ -9027,10 +9220,10 @@ cre workflow activate [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -9048,7 +9241,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to paused on the Workflow Registry contract. Paused workflows will not respond to triggers.
+Changes the workflow status to paused in the registry selected by `deployment-registry`. Paused workflows will not respond to triggers.
**Usage:**
@@ -9062,10 +9255,10 @@ cre workflow pause [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -9088,7 +9281,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Deletes a workflow from the Workflow Registry.
+Deletes a workflow from the registry selected by `deployment-registry`.
**Usage:**
@@ -9102,10 +9295,10 @@ cre workflow delete [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -9337,7 +9530,12 @@ The `cre registry` commands let you view and inspect the workflow registries ava
## What is a workflow registry?
-A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. The standard registry is a smart contract on Ethereum Mainnet — when you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs, and the DON reads from it to discover and execute your workflow.
+A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. CRE supports a public onchain registry and a private Chainlink-hosted registry.
+
+- **Public/onchain registry**: A smart contract on Ethereum Mainnet. When you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs.
+- **Private registry**: A centralized, offchain registry hosted by Chainlink. Workflow management is authorized by your CRE login session instead of a linked wallet key.
+
+Private registry management is a control-plane choice. It does not make workflow execution confidential, and confidential execution does not require the private registry.
When you log in with `cre login`, the CLI fetches your organization's registry configuration from the CRE platform and caches it locally in `~/.cre/context.yaml`. `cre registry list` reads from that cache and shows which registries your organization has access to.
@@ -9353,7 +9551,7 @@ When you log in with `cre login`, the CLI fetches your organization's registry c
## `cre registry list`
-Displays the workflow registries configured for your organization, including each registry's label, ID, type, and on-chain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
+Displays the workflow registries configured for your organization, including each registry's label, ID, type, and onchain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
**Usage:**
@@ -9368,15 +9566,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
-The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
@@ -9401,9 +9599,9 @@ The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized
## Auth modes
-`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two authorization modes, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Web3-keyed.** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
@@ -9447,8 +9645,8 @@ Secrets are organized into **namespaces**, which act as logical groupings (e.g.,
- You must be logged in with `cre login` (interactive login required; API keys are not supported for secrets operations)
- - Your `workflow-owner-address` must be configured in your project (not required when `CRE_CLI_SECRETS_ORG_OWNED=true`)
- - **Production CRE:** only **linked workflow owner** vault authorization is supported for these commands. See ([Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed))
+ - Your `workflow-owner-address` must be configured in your project for web3-keyed/onchain registry flows. It is not required for browser-auth private registry flows or when `CRE_CLI_SECRETS_ORG_OWNED=true`.
+ - If browser auth is not enabled for your CRE environment, use the web3-keyed flow with a linked workflow owner address. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed).
- For comprehensive guides on using secrets, see [Managing Secrets](/cre/guides/workflow/secrets)
@@ -10284,8 +10482,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
-2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
+2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10434,7 +10632,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Go**: You must have Go version 1.25.3 or higher installed. Check your version with go version. See [Install Go](https://go.dev/doc/install) for instructions.
-- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
@@ -16367,11 +16565,11 @@ myProject/
│ ├── abi/ # Contract ABI files (.abi JSON format)
│ └── generated/ # Auto-generated Go bindings
├── workflow1/
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.go # Your workflow code
│ └── …
├── workflow2/
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.go # Your workflow code
│ └── …
└── …
@@ -16379,7 +16577,7 @@ myProject/
- `go.mod` / `go.sum`: **Go module definition** and dependency management for the entire project.
- `project.yaml`: **Global settings**, shared by every workflow in the project.
-- `workflow.yaml`: **Local settings** for a single workflow. Add this file only when the workflow needs overrides.
+- `workflow.yaml`: **Local settings** for a single workflow. Define each target's `workflow-name`, `deployment-registry`, workflow artifacts, and any workflow-specific overrides here.
- `secrets.yaml`: **Secret declarations**, a manifest of logical secret names used across the project.
- `contracts/evm/src/abi/`: **Contract ABIs**, where you place `.abi` JSON files for contract binding generation.
- `contracts/evm/src/generated/`: **Generated Go bindings**, automatically created by the CRE CLI from your ABI files using `cre generate-bindings`.
@@ -16446,12 +16644,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
- If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
- "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
- deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
- Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+ Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
+ `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
+ required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
+ continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
+ for the migration path.
```yaml
@@ -16459,7 +16657,7 @@ Variable values are resolved from environment variables at runtime. This works a
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
+ deployment-registry: "private" # Private, centralized, offchain registry management.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -16469,7 +16667,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
+ deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -16478,18 +16676,19 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
- Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
- can optionally override project-level settings (like `workflow-owner-address`) for specific workflows.
+ To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
+ `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
+ project-level settings (like `workflow-owner-address`) for specific workflows.
### 3.3. Secrets configuration (`secrets.yaml`)
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index d0b97c32b50..5e568d8bd63 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -167,11 +167,25 @@ A decentralized, peer-to-peer network of independent nodes that work together to
How you manage a workflow's lifecycle (deploy, activate, pause, update, delete) and its secrets. CRE supports two modes, selected per target via `user-workflow.deployment-registry` in `workflow.yaml`:
-- **Web3 key** — operations sign onchain transactions to the Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no gas. Used when `deployment-registry: "private"` (the default).
+- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+### Public workflow
+
+A workflow whose lifecycle is managed through the public onchain Workflow Registry. In `workflow.yaml`, this is selected with `deployment-registry: "onchain:ethereum-mainnet"`.
+
+### Private workflow
+
+A workflow whose lifecycle is managed through the Chainlink-hosted private registry. In `workflow.yaml`, this is selected with `deployment-registry: "private"`. Private workflow management is centralized and offchain.
+
+Private does not mean confidential. A private workflow uses a private registry for management, but its execution is not confidential unless it explicitly uses a confidential execution feature or capability.
+
+### Confidential workflow or confidential execution
+
+Execution that uses a confidential runtime, TEE, enclave, or confidential capability to protect data during execution. This is separate from registry selection. Confidential execution does not require the private registry, and a workflow can use confidential execution while still being managed through the public onchain registry.
+
## Workflow architecture
### Workflow
@@ -461,13 +475,26 @@ Last Updated: 2026-04-24
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v2.0.0 - Upcoming
+
+The next major CRE CLI release updates workflow configuration behavior for private registry deployments.
+
+- **Private registry by default for generated workflows**: New workflow targets generated by CRE CLI v2.0.0 include `deployment-registry: "private"` under `user-workflow`, so new deployments use the Chainlink-hosted private registry unless you choose another registry.
+- **Existing onchain workflows should pin the onchain registry**: Existing users whose workflows were deployed through the public onchain Workflow Registry should add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before redeploying or updating. This keeps those workflows on the public onchain registry instead of moving management to the private registry.
+- **Migration error for older workflow files**: Existing `workflow.yaml` files created before `deployment-registry` existed may fail after upgrade with a clear error such as `"deployment-registry" is required in target "staging-settings"`. Existing deployed workflows continue running, but redeploy and workflow-management commands may require the config update. Use `deployment-registry: "private"` for Chainlink-hosted private registry management. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When CLI v2.0.0 is available, the CLI will detect the newer version and prompt you to update. Run `cre update` to install it.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
## CLI v1.13.0 - April 28, 2026
**CRE CLI version 1.13.0 is now available.**
-- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the onchain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
-- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the onchain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
**How to update:**
@@ -4063,19 +4090,19 @@ Before managing secrets for deployed workflows, ensure you have:
1. **CRE CLI installed**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux)
2. **Authentication**: You must be logged in with `cre login`
-3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the on-chain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
+3. **(Web3-keyed flow only) Owner address configured**: When managing secrets owned by a workflow owner address (the onchain registry flow), your `workflow-owner-address` must be set. Browser-auth flows on the private registry use your CRE login session and don't require this.
## Auth modes: web3 key vs. browser auth
-`cre secrets` supports two ways to authorize Vault operations, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two ways to authorize Vault operations, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
-- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry (the default), or when your team manages secrets at the organization level rather than per-wallet.
+- **Web3-keyed.** Each operation submits an onchain authorization tied to your linked workflow owner address (`workflow-owner-address`). Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Browser auth (`--secrets-auth=browser`).** The CLI opens a browser-based OAuth (PKCE) flow against the Vault DON gateway and authorizes the operation against your CRE organization. No wallet, no gas, no `workflow-owner-address` needed. Use this when your workflow is deployed to the `private` registry, or when your team manages secrets at the organization level rather than per-wallet.
You can specify the mode per command with `--secrets-auth`. If omitted, the CLI uses the default for your target.
```bash
-# Web3-keyed (on-chain registry)
+# Web3-keyed (onchain registry)
cre secrets create production-secrets.yaml --target production-settings
# Browser auth (private registry / org-owned)
@@ -4892,19 +4919,47 @@ Last Updated: 2026-03-17
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain). Existing workflows that deployed to the on-chain Ethereum Mainnet registry **will not redeploy to the same registry on the next `cre workflow deploy`** unless you add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` in each affected target of your `workflow.yaml`:
+
+ Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
+ `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
+ field when you want a different registry, such as the public onchain Workflow Registry.
+
+ Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
+
+ ```text
+ Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+ Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+ Run "cre registry list" to see your available registries.
+ ```
+
+ Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
```yaml
user-workflow:
workflow-name: "my-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet"
+ deployment-registry: "private"
```
- See [Choosing your registry](#choosing-your-registry) below for the full migration path.
+ See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registries today: the **on-chain** Workflow Registry contract on Ethereum Mainnet and the **private** Chainlink-hosted registry. Pick which one a target deploys to with the `deployment-registry` field in your `workflow.yaml`.
+When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+
+- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
+- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+
+This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+
+
+
+ A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+
## Prerequisites
@@ -4912,8 +4967,9 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(On-chain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the default `private` registry do not need a linked key.
-- **(On-chain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
+- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
+- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
## Choosing your registry
@@ -4930,24 +4986,28 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-### Control plane: web3 key vs. auth-only
+### Private vs. public workflow management
+
+CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per-target by setting `deployment-registry`:
+| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
+| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
+| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
+| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-- **On-chain registry (`onchain:ethereum-mainnet`) — managed with a web3 key.** Each lifecycle command submits a transaction to the on-chain Workflow Registry contract, signed by your linked wallet. Requires `cre account link-key`, an RPC for Ethereum Mainnet, and a funded wallet to pay gas.
-- **Private registry (`private`) — managed with auth only.** Each lifecycle command is authorized by your CRE login session (`cre login`). No wallet, no gas, no key linking. Multiple team members on the same organization can manage the same workflows once authenticated.
+Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-Secrets follow the same split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
+Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
### Managing with a web3 key
@@ -4960,13 +5020,106 @@ Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
### Managing with auth only
-Use this flow when `deployment-registry: "private"` (the default):
+Use this flow when `deployment-registry: "private"`:
1. Log in once with `cre login`.
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the on-chain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
+
+## Migrate an existing workflow
+
+CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
+
+### Who is affected
+
+You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+After upgrading, the CLI reports the missing field and points to the target that needs the update:
+
+```text
+Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
+
+Add the field to your workflow.yaml under each target's user-workflow section:
+
+ staging-settings:
+ user-workflow:
+ deployment-registry: "private"
+
+Run "cre registry list" to see your available registries.
+```
+
+Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
+
+### Step 1: List available registries
+
+Log in, then list the registries available to your organization:
+
+```bash
+cre login
+cre registry list
+```
+
+Use the `ID` value from the output in `workflow.yaml`.
+
+### Step 2: Choose public or private workflow management
+
+Choose the registry that matches how you want to manage the workflow:
+
+- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
+- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
+
+The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
+
+### Step 3: Update affected targets
+
+Add `deployment-registry` under `user-workflow` for each target that is missing it.
+
+**Keep an existing workflow on the public onchain registry:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+**Use the private registry for workflow management:**
+
+```yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+```
+
+Repeat this for `production-settings` and any other target that needs migration.
+
+### Step 4: Re-run the command
+
+After the YAML is updated, rerun the command that failed:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
## The deployment process
@@ -4976,7 +5129,7 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** (default) — registers the workflow with the Chainlink-hosted registry, authorized by your CRE login session. No transaction, gas, or RPC is required.
+ - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
@@ -4985,9 +5138,9 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` is required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
-If you are deploying from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
@@ -5022,7 +5175,9 @@ cre workflow deploy my-workflow --target production-settings
### Step 3: Monitor the output
-The CLI will provide detailed logs of the deployment process, including the compilation, upload to the CRE Storage Service, and the final onchain transaction.
+The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
+
+**Example onchain registry output:**
```bash
> cre workflow deploy my-workflow --target production-settings
@@ -5083,6 +5238,37 @@ Details:
Config URL: https://storage.cre.example.com/artifacts//config
```
+**Example private/offchain registry output:**
+
+```bash
+> cre workflow deploy my-workflow --target staging-settings
+
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
## Verifying your deployment
After a successful deployment, you can verify that your workflow was registered correctly:
@@ -5091,7 +5277,7 @@ After a successful deployment, you can verify that your workflow was registered
2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-3. **Block Explorer (on-chain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+3. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
## CI/CD pipeline integration
@@ -5191,7 +5377,7 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
-After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the Workflow Registry contract, determining whether it can respond to triggers.
+After deploying a workflow, you can control its operational state using the `cre workflow activate` and `cre workflow pause` commands. These commands modify the workflow's status in the registry selected by `deployment-registry`, determining whether it can respond to triggers.
**Workflow states:**
@@ -5202,11 +5388,12 @@ After deploying a workflow, you can control its operational state using the `cre
Before activating or pausing workflows, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can activate or pause it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: You must have a workflow that has been successfully deployed to the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -5227,15 +5414,16 @@ cre workflow activate my-workflow --target production-settings
The CLI identifies which workflow to activate based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during activation
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
2. It validates that the workflow is currently paused
-3. If valid, it sends an onchain transaction to change the status to active
+3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow activate my-workflow --target production-settings
@@ -5295,11 +5483,11 @@ cre workflow pause my-workflow --target production-settings
### What happens during pausing
-1. The CLI fetches the workflow matching your workflow name and owner address
+1. The CLI fetches the workflow matching your workflow name and configured registry authorization
2. It validates that the workflow is currently active
-3. If valid, it sends an onchain transaction to change the status to paused
+3. If valid, it updates the workflow status in the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
-### Example output
+### Example onchain registry output
```bash
> cre workflow pause my-workflow --target production-settings
@@ -5343,7 +5531,7 @@ Details:
## Using multi-sig wallets
-Both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, both `activate` and `pause` commands support multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -5360,7 +5548,7 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/updating-deployed-workflows
Last Updated: 2026-01-23
-When you update a deployed workflow, you redeploy it with the same workflow name. The new deployment replaces the previous version in the Workflow Registry contract. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
+When you update a deployed workflow, you redeploy it with the same workflow name and the same `deployment-registry` target. The new deployment replaces the previous version in that registry. Currently, CRE does not maintain version history—each deployment overwrites the previous one.
@@ -5371,11 +5559,12 @@ When you update a deployed workflow, you redeploy it with the same workflow name
Before updating a deployed workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can update it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must already exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -5389,7 +5578,7 @@ cre workflow deploy my-workflow --target production-settings
1. **Compilation**: Your updated workflow code is compiled to WASM
2. **Upload**: The new binary and configuration files are uploaded to the CRE Storage Service
-3. **Registration**: A new registration transaction is sent to the Workflow Registry contract
+3. **Registration**: The new workflow version is registered with the target's configured registry. For `onchain:ethereum-mainnet`, this sends a transaction to the Workflow Registry contract. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
4. **Replacement**: The previous version is replaced with the new deployment
5. **Status preserved**: The workflow's status (active or paused) is preserved from the previous deployment
@@ -5412,7 +5601,7 @@ cre workflow deploy my-workflow --target production-settings
## Using multi-sig wallets
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -5428,17 +5617,18 @@ For complete setup instructions, configuration requirements, and step-by-step gu
Source: https://docs.chain.link/cre/guides/operations/deleting-workflows
Last Updated: 2025-11-04
-Deleting a workflow permanently removes it from the Workflow Registry contract. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
+Deleting a workflow permanently removes it from the registry selected by `deployment-registry`. This action cannot be undone, and the workflow will no longer be able to respond to triggers.
## Prerequisites
Before deleting a workflow, ensure you have:
-- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the Workflow Registry.
-- **Workflow ownership**: You must be the owner of the workflow (the account that originally deployed it). Only the workflow owner can delete it.
+- **A [deployed workflow](/cre/guides/operations/deploying-workflows)**: The workflow must exist in the registry selected by `deployment-registry`.
+- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay the gas fees for the onchain transaction to the Workflow Registry contract.
+- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -5451,21 +5641,22 @@ cre workflow delete my-workflow --target production-settings
The CLI identifies which workflow to delete based on:
- `workflow-name` from your `workflow.yaml` file
-- `workflow-owner-address` (either from `workflow.yaml` or derived from your private key in `.env`)
+- `deployment-registry` from your `workflow.yaml` file
+- `workflow-owner-address` for onchain registry workflows, or your CRE organization for private registry workflows
### What happens during deletion
-1. The CLI fetches all workflows matching your workflow name and owner address
+1. The CLI fetches all workflows matching your workflow name and configured registry authorization
2. It displays details about the workflow(s) to be deleted
3. It prompts you to confirm by typing the workflow name
-4. Once confirmed, it sends an onchain transaction to delete the workflow from the Workflow Registry
+4. Once confirmed, it deletes the workflow from the target's configured registry. For `onchain:ethereum-mainnet`, this sends an onchain transaction. For `private`, this updates the Chainlink-hosted private registry through your CRE login session.
- **This action cannot be undone.** Once a workflow is deleted from the Workflow Registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
+ **This action cannot be undone.** Once a workflow is deleted from its configured registry, it is permanently removed and can no longer respond to triggers. The CLI requires you to type the workflow name to confirm this destructive operation.
-### Example output
+### Example onchain registry output
```bash
> cre workflow delete my-workflow --target production-settings
@@ -5523,7 +5714,7 @@ cre workflow delete my-workflow --yes --target production-settings
## Using multi-sig wallets
-The `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+For onchain registry workflows, the `delete` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly. Private registry workflows do not use `--unsigned` because they do not submit registry transactions.
For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
@@ -7053,16 +7244,18 @@ CRE uses a simple role-based access control system with two roles:
Source: https://docs.chain.link/cre/organization/linking-keys
Last Updated: 2025-11-04
-Before you can deploy workflows, you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages all CRE workflows—associating it with your organization and allowing you to deploy and manage workflows.
+Before you can deploy workflows to the public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`), you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages public CRE workflows—associating it with your organization and allowing you to deploy and manage workflows through the onchain registry.
+
+Private registry workflows (`deployment-registry: "private"`) do not require key linking. They are managed with your CRE login session.
## What is key linking?
-Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the Workflow Registry.
+Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the public onchain Workflow Registry.
**Key benefits:**
- Multiple team members can link their own addresses to the same organization
-- Each linked address can independently deploy and manage workflows
+- Each linked address can independently deploy and manage public onchain registry workflows
- Addresses are labeled for easy identification (e.g., "Production Wallet", "Dev Wallet")
- All linked addresses are visible to organization members via cre account list-key
@@ -7095,7 +7288,7 @@ Before linking a key, ensure you have:
## Linking your first key
-The easiest way to link a key is to let the deployment process handle it automatically. When you first try to [deploy a workflow](/cre/guides/operations/deploying-workflows), the CLI will detect that your address isn't linked and prompt you to link it.
+The easiest way to link a key is to let the deployment process handle it automatically. When you first try to [deploy a workflow](/cre/guides/operations/deploying-workflows) with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI will detect that your address isn't linked and prompt you to link it.
### Automatic linking during deployment
@@ -7177,7 +7370,7 @@ View on explorer: https://etherscan.io/tx/
[OK] web3 address linked to your CRE organization successfully
-→ You can now deploy workflows using this address
+→ You can now deploy public onchain registry workflows using this address
```
## Viewing linked keys
@@ -7321,7 +7514,7 @@ When you run `cre account unlink-key --unsigned` while logged into your CRE orga
Starting unlinking: owner=0x....
✔ Yes
Contract address validation passed
- --unsigned flag detected: transaction not sent on-chain.
+ --unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership unlinking initialized successfully!
@@ -7401,7 +7594,7 @@ Checking existing registrations...
✓ No existing link found for this address
Starting linking: owner=, label=SafeWallet
Contract address validation passed
---unsigned flag detected: transaction not sent on-chain.
+--unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership linking initialized successfully!
@@ -7992,7 +8185,7 @@ Initialize projects and generate contract bindings (Go only).
Manage your linked public key addresses and deployment access.
- **`cre account access`** — Check deployment access status or submit an Early Access request
-- **`cre account link-key`** — Link a public key address to your account
+- **`cre account link-key`** — Link a public key address for public onchain registry operations
- **`cre account list-key`** — List workflow owners linked to your organization
- **`cre account unlink-key`** — Unlink a public key address from your account
@@ -8006,11 +8199,11 @@ Manage workflows throughout their entire lifecycle.
- **`cre workflow build`** — Compile a workflow to a WASM binary (without uploading or deploying)
- **`cre workflow simulate`** — Compile and execute workflows in a local simulation environment
-- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the onchain workflow ID)
-- **`cre workflow deploy`** — Deploy a workflow to the Workflow Registry contract
-- **`cre workflow activate`** — Activate a workflow on the Workflow Registry contract
-- **`cre workflow pause`** — Pause a workflow on the Workflow Registry contract
-- **`cre workflow delete`** — Delete all versions of a workflow from the Workflow Registry
+- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the workflow ID)
+- **`cre workflow deploy`** — Deploy a workflow to the registry selected by `deployment-registry`
+- **`cre workflow activate`** — Activate a workflow in its configured registry
+- **`cre workflow pause`** — Pause a workflow in its configured registry
+- **`cre workflow delete`** — Delete all versions of a workflow from its configured registry
- **`cre workflow custom-build`** — Convert a workflow to use a custom self-compiled WASM build
[View workflow commands →](/cre/reference/cli/workflow)
@@ -8034,7 +8227,7 @@ Manage secrets stored in the Vault DON for use in your workflows.
Inspect the workflow registries available to your organization. A workflow registry is the system that tracks which workflows are registered to your organization and makes them available to the Chainlink DON for execution.
-- **`cre registry list`** — Display the registries configured for your organization, including type and on-chain address
+- **`cre registry list`** — Display the registries configured for your organization, including type and onchain address
[View registry commands →](/cre/reference/cli/registry)
@@ -8226,7 +8419,7 @@ PRODUCTION:
Source: https://docs.chain.link/cre/reference/cli/account
Last Updated: 2026-02-26
-The `cre account` commands manage your linked public key addresses for workflow operations. These commands allow you to link wallet addresses to your CRE account, list linked addresses, and unlink them when needed.
+The `cre account` commands manage linked public key addresses for public onchain registry workflows. Private registry workflows do not require linked keys; they use your CRE login session for workflow management.
@@ -8286,7 +8479,7 @@ Our team will review your request and get back to you via email shortly.
in with the CLI](/cre/account/cli-login) for further details.
-Links a public key address to your account for workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
+Links a public key address to your account for public onchain registry workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
For a complete step-by-step guide with examples, see [Linking Wallet Keys](/cre/organization/linking-keys).
@@ -8563,7 +8756,7 @@ cre workflow simulate [flags]
in with the CLI](/cre/account/cli-login) for further details.
-Deploys a workflow to the Workflow Registry — the onchain contract where workflows are enrolled so the Chainlink DON knows they exist and should run them. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and submits a registration transaction to the registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registry your organization is configured to use.
+Deploys a workflow to the registry selected by `user-workflow.deployment-registry` in `workflow.yaml`. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with either the public onchain Workflow Registry or the Chainlink-hosted private registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registries your organization can use.
**Usage:**
@@ -8583,7 +8776,7 @@ cre workflow deploy [flags]
| `--wasm` | Path to a pre-built WASM binary (skips compilation). Use with [`cre workflow build`](#cre-workflow-build) for CI/CD pipelines |
| `--config` | Override the config file path from `workflow.yaml` |
| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
| `--yes` | Skip the confirmation prompt and proceed with the operation |
| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
@@ -8626,7 +8819,7 @@ For more details, see [Deploying Workflows](/cre/guides/operations/deploying-wor
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to active on the Workflow Registry contract. Active workflows can respond to their configured triggers.
+Changes the workflow status to active in the registry selected by `deployment-registry`. Active workflows can respond to their configured triggers.
**Usage:**
@@ -8640,10 +8833,10 @@ cre workflow activate [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -8661,7 +8854,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to paused on the Workflow Registry contract. Paused workflows will not respond to triggers.
+Changes the workflow status to paused in the registry selected by `deployment-registry`. Paused workflows will not respond to triggers.
**Usage:**
@@ -8675,10 +8868,10 @@ cre workflow pause [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -8701,7 +8894,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Deletes a workflow from the Workflow Registry.
+Deletes a workflow from the registry selected by `deployment-registry`.
**Usage:**
@@ -8715,10 +8908,10 @@ cre workflow delete [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -8950,7 +9143,12 @@ The `cre registry` commands let you view and inspect the workflow registries ava
## What is a workflow registry?
-A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. The standard registry is a smart contract on Ethereum Mainnet — when you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs, and the DON reads from it to discover and execute your workflow.
+A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. CRE supports a public onchain registry and a private Chainlink-hosted registry.
+
+- **Public/onchain registry**: A smart contract on Ethereum Mainnet. When you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs.
+- **Private registry**: A centralized, offchain registry hosted by Chainlink. Workflow management is authorized by your CRE login session instead of a linked wallet key.
+
+Private registry management is a control-plane choice. It does not make workflow execution confidential, and confidential execution does not require the private registry.
When you log in with `cre login`, the CLI fetches your organization's registry configuration from the CRE platform and caches it locally in `~/.cre/context.yaml`. `cre registry list` reads from that cache and shows which registries your organization has access to.
@@ -8966,7 +9164,7 @@ When you log in with `cre login`, the CLI fetches your organization's registry c
## `cre registry list`
-Displays the workflow registries configured for your organization, including each registry's label, ID, type, and on-chain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
+Displays the workflow registries configured for your organization, including each registry's label, ID, type, and onchain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
**Usage:**
@@ -8981,15 +9179,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
-The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
@@ -9014,9 +9212,9 @@ The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized
## Auth modes
-`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two authorization modes, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Web3-keyed.** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
@@ -9060,8 +9258,8 @@ Secrets are organized into **namespaces**, which act as logical groupings (e.g.,
- You must be logged in with `cre login` (interactive login required; API keys are not supported for secrets operations)
- - Your `workflow-owner-address` must be configured in your project (not required when `CRE_CLI_SECRETS_ORG_OWNED=true`)
- - **Production CRE:** only **linked workflow owner** vault authorization is supported for these commands. See ([Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed))
+ - Your `workflow-owner-address` must be configured in your project for web3-keyed/onchain registry flows. It is not required for browser-auth private registry flows or when `CRE_CLI_SECRETS_ORG_OWNED=true`.
+ - If browser auth is not enabled for your CRE environment, use the web3-keyed flow with a linked workflow owner address. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed).
- For comprehensive guides on using secrets, see [Managing Secrets](/cre/guides/workflow/secrets)
@@ -10177,8 +10375,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. By default, deployments go to the Chainlink-hosted private registry using your CRE login — no wallet required.
-2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
+2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10327,7 +10525,7 @@ Before you begin, ensure you have the following:
- **CRE CLI**: See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) for details.
- **CRE account & authentication**: You must have a CRE account and be logged in with the CLI. See [Create your account](/cre/account/creating-account) and [Log in with the CLI](/cre/account/cli-login) for instructions.
- **Bun**: You must have Bun version 1.2.21 or higher installed. Check your version with bun --version. See [Install Bun](https://bun.com) for instructions.
-- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the default `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
+- **Funded Sepolia Account**: An account with Sepolia ETH to pay for transaction gas fees. Required for [Part 4: Writing Onchain](/cre/getting-started/part-4-writing-onchain), and for any deployment that uses `deployment-registry: "onchain:ethereum-mainnet"`. Not required to simulate workflows or deploy to the `private` registry. Go to faucets.chain.link to get some Sepolia ETH.
## Step 1: Verify your authentication
@@ -16221,7 +16419,7 @@ myProject/
│ ├── tsconfig.json # TypeScript configuration
│ ├── bun.lock # Dependency lock file
│ ├── node_modules/ # Installed dependencies
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.ts # Your workflow code
│ └── …
├── workflow2/
@@ -16229,14 +16427,14 @@ myProject/
│ ├── tsconfig.json # TypeScript configuration
│ ├── bun.lock # Dependency lock file
│ ├── node_modules/ # Installed dependencies
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.ts # Your workflow code
│ └── …
└── …
```
- `project.yaml`: **Global settings**, shared by every workflow in the project.
-- `workflow.yaml`: **Local settings** for a single workflow. Add this file only when the workflow needs overrides.
+- `workflow.yaml`: **Local settings** for a single workflow. Define each target's `workflow-name`, `deployment-registry`, workflow artifacts, and any workflow-specific overrides here.
- `secrets.yaml`: **Secret declarations**, a manifest of logical secret names used across the project.
- `contracts/abi/`: **TypeScript ABI definitions**, where you place `.ts` files that export contract ABIs using viem's type system. Unlike Go, TypeScript doesn't require generating bindings—ABIs are used directly with viem.
- `package.json` / `tsconfig.json`: **Workflow-specific dependencies and TypeScript configuration**. Each workflow manages its own dependencies independently.
@@ -16304,12 +16502,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
- If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
- "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
- deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
- Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+ Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
+ `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
+ required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
+ continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
+ for the migration path.
```yaml
@@ -16317,7 +16515,7 @@ Variable values are resolved from environment variables at runtime. This works a
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
+ deployment-registry: "private" # Private, centralized, offchain registry management.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -16327,7 +16525,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
+ deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -16336,18 +16534,19 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
- Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
- can optionally override project-level settings (like `workflow-owner-address`) for specific workflows.
+ To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
+ `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
+ project-level settings (like `workflow-owner-address`) for specific workflows.
diff --git a/src/content/cre/organization/linking-keys.mdx b/src/content/cre/organization/linking-keys.mdx
index cf1bd48b878..6a193f7f9f2 100644
--- a/src/content/cre/organization/linking-keys.mdx
+++ b/src/content/cre/organization/linking-keys.mdx
@@ -3,23 +3,25 @@ section: cre
date: Last Modified
title: "Linking Wallet Keys"
metadata:
- description: "Link your wallet to CRE: connect your address to deploy workflows, set up multi-sig wallets, and manage your organization's keys."
+ description: "Link your wallet to CRE: connect your address for public onchain registry workflows, set up multi-sig wallets, and manage your organization's keys."
datePublished: "2025-11-04"
lastModified: "2025-11-04"
---
import { Aside, CopyText } from "@components"
-Before you can deploy workflows, you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages all CRE workflows—associating it with your organization and allowing you to deploy and manage workflows.
+Before you can deploy workflows to the public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`), you must link a public key address to your CRE organization. This process registers your wallet address onchain in the Workflow Registry contract—the smart contract on Ethereum Mainnet that stores and manages public CRE workflows—associating it with your organization and allowing you to deploy and manage workflows through the onchain registry.
+
+Private registry workflows (`deployment-registry: "private"`) do not require key linking. They are managed with your CRE login session.
## What is key linking?
-Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the Workflow Registry.
+Key linking is the process of connecting a blockchain wallet address to your CRE organization. Once linked, this address becomes a **workflow owner address** that can deploy, update, and delete workflows in the public onchain Workflow Registry.
**Key benefits:**
- Multiple team members can link their own addresses to the same organization
-- Each linked address can independently deploy and manage workflows
+- Each linked address can independently deploy and manage public onchain registry workflows
- Addresses are labeled for easy identification (e.g., "Production Wallet", "Dev Wallet")
- All linked addresses are visible to organization members via
[OK] web3 address linked to your CRE organization successfully
-→ You can now deploy workflows using this address
+→ You can now deploy public onchain registry workflows using this address
```
## Viewing linked keys
@@ -275,7 +277,7 @@ When you run `cre account unlink-key --unsigned` while logged into your CRE orga
Starting unlinking: owner=0x....
✔ Yes
Contract address validation passed
- --unsigned flag detected: transaction not sent on-chain.
+ --unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership unlinking initialized successfully!
@@ -354,7 +356,7 @@ Checking existing registrations...
✓ No existing link found for this address
Starting linking: owner=, label=SafeWallet
Contract address validation passed
---unsigned flag detected: transaction not sent on-chain.
+--unsigned flag detected: transaction not sent onchain.
Generating call data for offline signing and submission in your preferred tool:
Ownership linking initialized successfully!
diff --git a/src/content/cre/reference/cli/account.mdx b/src/content/cre/reference/cli/account.mdx
index 7a78a044449..726da746610 100644
--- a/src/content/cre/reference/cli/account.mdx
+++ b/src/content/cre/reference/cli/account.mdx
@@ -3,14 +3,14 @@ section: cre
date: Last Modified
title: "Account Management"
metadata:
- description: "Manage wallet addresses with CLI: link, unlink, and list keys for deploying workflows to the Workflow Registry."
+ description: "Manage wallet addresses with CLI: link, unlink, and list keys for public onchain registry workflows."
datePublished: "2025-11-04"
lastModified: "2026-02-26"
---
import { Aside } from "@components"
-The `cre account` commands manage your linked public key addresses for workflow operations. These commands allow you to link wallet addresses to your CRE account, list linked addresses, and unlink them when needed.
+The `cre account` commands manage linked public key addresses for public onchain registry workflows. Private registry workflows do not require linked keys; they use your CRE login session for workflow management.
{/* prettier-ignore */}
@@ -70,7 +70,7 @@ Our team will review your request and get back to you via email shortly.
in with the CLI](/cre/account/cli-login) for further details.
-Links a public key address to your account for workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
+Links a public key address to your account for public onchain registry workflow operations. This command reads your private key from the `.env` file (for EOA) or uses your configuration (for multi-sig), derives the public address, and registers it onchain in the Workflow Registry contract.
For a complete step-by-step guide with examples, see [Linking Wallet Keys](/cre/organization/linking-keys).
diff --git a/src/content/cre/reference/cli/index.mdx b/src/content/cre/reference/cli/index.mdx
index c2cc38d4311..ec1474eb0f5 100644
--- a/src/content/cre/reference/cli/index.mdx
+++ b/src/content/cre/reference/cli/index.mdx
@@ -64,7 +64,7 @@ Initialize projects and generate contract bindings (Go only).
Manage your linked public key addresses and deployment access.
- **`cre account access`** — Check deployment access status or submit an Early Access request
-- **`cre account link-key`** — Link a public key address to your account
+- **`cre account link-key`** — Link a public key address for public onchain registry operations
- **`cre account list-key`** — List workflow owners linked to your organization
- **`cre account unlink-key`** — Unlink a public key address from your account
@@ -78,11 +78,11 @@ Manage workflows throughout their entire lifecycle.
- **`cre workflow build`** — Compile a workflow to a WASM binary (without uploading or deploying)
- **`cre workflow simulate`** — Compile and execute workflows in a local simulation environment
-- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the onchain workflow ID)
-- **`cre workflow deploy`** — Deploy a workflow to the Workflow Registry contract
-- **`cre workflow activate`** — Activate a workflow on the Workflow Registry contract
-- **`cre workflow pause`** — Pause a workflow on the Workflow Registry contract
-- **`cre workflow delete`** — Delete all versions of a workflow from the Workflow Registry
+- **`cre workflow hash`** — Display content hashes for a workflow's binary and config (matches the workflow ID)
+- **`cre workflow deploy`** — Deploy a workflow to the registry selected by `deployment-registry`
+- **`cre workflow activate`** — Activate a workflow in its configured registry
+- **`cre workflow pause`** — Pause a workflow in its configured registry
+- **`cre workflow delete`** — Delete all versions of a workflow from its configured registry
- **`cre workflow custom-build`** — Convert a workflow to use a custom self-compiled WASM build
[View workflow commands →](/cre/reference/cli/workflow)
@@ -106,7 +106,7 @@ Manage secrets stored in the Vault DON for use in your workflows.
Inspect the workflow registries available to your organization. A workflow registry is the system that tracks which workflows are registered to your organization and makes them available to the Chainlink DON for execution.
-- **`cre registry list`** — Display the registries configured for your organization, including type and on-chain address
+- **`cre registry list`** — Display the registries configured for your organization, including type and onchain address
[View registry commands →](/cre/reference/cli/registry)
diff --git a/src/content/cre/reference/cli/registry.mdx b/src/content/cre/reference/cli/registry.mdx
index 277c393f87d..5004f06f8e2 100644
--- a/src/content/cre/reference/cli/registry.mdx
+++ b/src/content/cre/reference/cli/registry.mdx
@@ -14,7 +14,12 @@ The `cre registry` commands let you view and inspect the workflow registries ava
## What is a workflow registry?
-A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. The standard registry is a smart contract on Ethereum Mainnet — when you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs, and the DON reads from it to discover and execute your workflow.
+A **workflow registry** is the system that tracks which workflows are registered to your CRE organization and makes them available to the DON (Decentralized Oracle Network) for execution. CRE supports a public onchain registry and a private Chainlink-hosted registry.
+
+- **Public/onchain registry**: A smart contract on Ethereum Mainnet. When you run `cre workflow deploy`, the CLI submits a transaction to that contract recording your workflow's name, owner, and artifact URLs.
+- **Private registry**: A centralized, offchain registry hosted by Chainlink. Workflow management is authorized by your CRE login session instead of a linked wallet key.
+
+Private registry management is a control-plane choice. It does not make workflow execution confidential, and confidential execution does not require the private registry.
When you log in with `cre login`, the CLI fetches your organization's registry configuration from the CRE platform and caches it locally in `~/.cre/context.yaml`. `cre registry list` reads from that cache and shows which registries your organization has access to.
@@ -30,7 +35,7 @@ When you log in with `cre login`, the CLI fetches your organization's registry c
## `cre registry list`
-Displays the workflow registries configured for your organization, including each registry's label, ID, type, and on-chain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
+Displays the workflow registries configured for your organization, including each registry's label, ID, type, and onchain address (where applicable). Registry data is sourced from `~/.cre/context.yaml`, which is fetched from the CRE platform when you run `cre login`.
**Usage:**
@@ -45,15 +50,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: on-chain
+ Type: onchain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: off-chain
+ Type: offchain
```
-The `ID` value is what you put in the `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
diff --git a/src/content/cre/reference/cli/secrets.mdx b/src/content/cre/reference/cli/secrets.mdx
index d5f9b6f2069..0bc5d8f8052 100644
--- a/src/content/cre/reference/cli/secrets.mdx
+++ b/src/content/cre/reference/cli/secrets.mdx
@@ -20,9 +20,9 @@ The `cre secrets` commands manage secrets stored in the Vault DON (Decentralized
## Auth modes
-`cre secrets` supports two authorization modes, mirroring the [control plane split](/cre/guides/operations/deploying-workflows#control-plane-web3-key-vs-auth-only) used for workflow deployment:
+`cre secrets` supports two authorization modes, mirroring the [private vs. public workflow management split](/cre/guides/operations/deploying-workflows#private-vs-public-workflow-management) used for workflow deployment:
-- **Web3-keyed (default).** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the on-chain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
+- **Web3-keyed.** Each operation is tied to your linked `workflow-owner-address`. Use this when your workflow is deployed to the onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`).
- **Browser auth (`--secrets-auth=browser`).** Each operation is authorized through a browser-based OAuth (PKCE) flow against the Vault DON gateway, using your CRE login session. No wallet or `workflow-owner-address` required. Use this when your workflow is deployed to the `private` registry, or when secrets are owned at the organization level.
Pass `--secrets-auth=browser` on any of `cre secrets create | update | delete | list` to opt into browser auth for that command. If omitted, the CLI uses the default for your target.
@@ -66,8 +66,8 @@ Secrets are organized into **namespaces**, which act as logical groupings (e.g.,
{/* prettier-ignore */}
- You must be logged in with `cre login` (interactive login required; API keys are not supported for secrets operations)
- - Your `workflow-owner-address` must be configured in your project (not required when `CRE_CLI_SECRETS_ORG_OWNED=true`)
- - **Production CRE:** only **linked workflow owner** vault authorization is supported for these commands. See ([Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed))
+ - Your `workflow-owner-address` must be configured in your project for web3-keyed/onchain registry flows. It is not required for browser-auth private registry flows or when `CRE_CLI_SECRETS_ORG_OWNED=true`.
+ - If browser auth is not enabled for your CRE environment, use the web3-keyed flow with a linked workflow owner address. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed).
- For comprehensive guides on using secrets, see [Managing Secrets](/cre/guides/workflow/secrets)
diff --git a/src/content/cre/reference/cli/workflow.mdx b/src/content/cre/reference/cli/workflow.mdx
index 80a3f95e01a..b94162dc7fb 100644
--- a/src/content/cre/reference/cli/workflow.mdx
+++ b/src/content/cre/reference/cli/workflow.mdx
@@ -138,7 +138,7 @@ cre workflow simulate [flags]
in with the CLI](/cre/account/cli-login) for further details.
-Deploys a workflow to the Workflow Registry — the onchain contract where workflows are enrolled so the Chainlink DON knows they exist and should run them. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and submits a registration transaction to the registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registry your organization is configured to use.
+Deploys a workflow to the registry selected by `user-workflow.deployment-registry` in `workflow.yaml`. This command compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with either the public onchain Workflow Registry or the Chainlink-hosted private registry. Use [`cre registry list`](/cre/reference/cli/registry) to see which registries your organization can use.
**Usage:**
@@ -158,7 +158,7 @@ cre workflow deploy [flags]
| `--wasm` | Path to a pre-built WASM binary (skips compilation). Use with [`cre workflow build`](#cre-workflow-build) for CI/CD pipelines |
| `--config` | Override the config file path from `workflow.yaml` |
| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
| `--yes` | Skip the confirmation prompt and proceed with the operation |
| `--skip-type-checks` | Skip TypeScript type checking during compilation. Speeds up iteration in development; not recommended for production builds |
@@ -201,7 +201,7 @@ For more details, see [Deploying Workflows](/cre/guides/operations/deploying-wor
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to active on the Workflow Registry contract. Active workflows can respond to their configured triggers.
+Changes the workflow status to active in the registry selected by `deployment-registry`. Active workflows can respond to their configured triggers.
**Usage:**
@@ -215,10 +215,10 @@ cre workflow activate [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -236,7 +236,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Changes the workflow status to paused on the Workflow Registry contract. Paused workflows will not respond to triggers.
+Changes the workflow status to paused in the registry selected by `deployment-registry`. Paused workflows will not respond to triggers.
**Usage:**
@@ -250,10 +250,10 @@ cre workflow pause [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
@@ -276,7 +276,7 @@ For more details, see [Activating & Pausing Workflows](/cre/guides/operations/ac
in with the CLI](/cre/account/cli-login) for further details.
-Deletes a workflow from the Workflow Registry.
+Deletes a workflow from the registry selected by `deployment-registry`.
**Usage:**
@@ -290,10 +290,10 @@ cre workflow delete [flags]
**Flags:**
-| Flag | Description |
-| ------------ | --------------------------------------------------------------- |
-| `--unsigned` | Return the raw transaction instead of sending it to the network |
-| `--yes` | Skip the confirmation prompt and proceed with the operation |
+| Flag | Description |
+| ------------ | -------------------------------------------------------------------------------------- |
+| `--unsigned` | Onchain registry only: return the raw transaction instead of sending it to the network |
+| `--yes` | Skip the confirmation prompt and proceed with the operation |
**Example:**
diff --git a/src/content/cre/reference/project-configuration-go.mdx b/src/content/cre/reference/project-configuration-go.mdx
index 5affc92515c..3e9e6e480d3 100644
--- a/src/content/cre/reference/project-configuration-go.mdx
+++ b/src/content/cre/reference/project-configuration-go.mdx
@@ -52,11 +52,11 @@ myProject/
│ ├── abi/ # Contract ABI files (.abi JSON format)
│ └── generated/ # Auto-generated Go bindings
├── workflow1/
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.go # Your workflow code
│ └── …
├── workflow2/
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.go # Your workflow code
│ └── …
└── …
@@ -64,7 +64,7 @@ myProject/
- `go.mod` / `go.sum`: **Go module definition** and dependency management for the entire project.
- `project.yaml`: **Global settings**, shared by every workflow in the project.
-- `workflow.yaml`: **Local settings** for a single workflow. Add this file only when the workflow needs overrides.
+- `workflow.yaml`: **Local settings** for a single workflow. Define each target's `workflow-name`, `deployment-registry`, workflow artifacts, and any workflow-specific overrides here.
- `secrets.yaml`: **Secret declarations**, a manifest of logical secret names used across the project.
- `contracts/evm/src/abi/`: **Contract ABIs**, where you place `.abi` JSON files for contract binding generation.
- `contracts/evm/src/generated/`: **Generated Go bindings**, automatically created by the CRE CLI from your ABI files using `cre generate-bindings`.
@@ -131,12 +131,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
- If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
- "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
- deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
- Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+ Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
+ `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
+ required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
+ continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
+ for the migration path.
```yaml
@@ -144,7 +144,7 @@ Variable values are resolved from environment variables at runtime. This works a
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
+ deployment-registry: "private" # Private, centralized, offchain registry management.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -154,7 +154,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
+ deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -163,18 +163,19 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
- Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
- can optionally override project-level settings (like `workflow-owner-address`) for specific workflows.
+ To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
+ `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
+ project-level settings (like `workflow-owner-address`) for specific workflows.
### 3.3. Secrets configuration (`secrets.yaml`)
diff --git a/src/content/cre/reference/project-configuration-ts.mdx b/src/content/cre/reference/project-configuration-ts.mdx
index 72d3866b635..af1bfe798cb 100644
--- a/src/content/cre/reference/project-configuration-ts.mdx
+++ b/src/content/cre/reference/project-configuration-ts.mdx
@@ -53,7 +53,7 @@ myProject/
│ ├── tsconfig.json # TypeScript configuration
│ ├── bun.lock # Dependency lock file
│ ├── node_modules/ # Installed dependencies
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.ts # Your workflow code
│ └── …
├── workflow2/
@@ -61,14 +61,14 @@ myProject/
│ ├── tsconfig.json # TypeScript configuration
│ ├── bun.lock # Dependency lock file
│ ├── node_modules/ # Installed dependencies
-│ ├── workflow.yaml # Workflow-specific configuration (optional)
+│ ├── workflow.yaml # Workflow-specific configuration
│ ├── main.ts # Your workflow code
│ └── …
└── …
```
- `project.yaml`: **Global settings**, shared by every workflow in the project.
-- `workflow.yaml`: **Local settings** for a single workflow. Add this file only when the workflow needs overrides.
+- `workflow.yaml`: **Local settings** for a single workflow. Define each target's `workflow-name`, `deployment-registry`, workflow artifacts, and any workflow-specific overrides here.
- `secrets.yaml`: **Secret declarations**, a manifest of logical secret names used across the project.
- `contracts/abi/`: **TypeScript ABI definitions**, where you place `.ts` files that export contract ABIs using viem's type system. Unlike Go, TypeScript doesn't require generating bindings—ABIs are used directly with viem.
- `package.json` / `tsconfig.json`: **Workflow-specific dependencies and TypeScript configuration**. Each workflow manages its own dependencies independently.
@@ -136,12 +136,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
-
- Starting with the latest CRE CLI release, the default deployment registry is `private` (Chainlink-hosted, off-chain).
- If your workflows previously deployed to the on-chain `ethereum-mainnet` registry, you must add `deployment-registry:
- "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target — otherwise your next `cre workflow
- deploy` (including upserts to existing workflows) will be routed to the private registry instead. See [Deploying
- Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the full migration path.
+
+ Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
+ `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
+ required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
+ continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
+ for the migration path.
```yaml
@@ -149,7 +149,7 @@ Variable values are resolved from environment variables at runtime. This works a
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Default. Use "onchain:ethereum-mainnet" to deploy to the on-chain registry.
+ deployment-registry: "private" # Private, centralized, offchain registry management.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -159,7 +159,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Pin to the on-chain Workflow Registry on Ethereum Mainnet.
+ deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -168,18 +168,19 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | No | Selects which registry receives this target's deployment. Defaults to `"private"` (Chainlink-hosted; managed with your CRE login, no wallet required). Set to `"onchain:ethereum-mainnet"` to deploy to the on-chain Workflow Registry contract — this requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
- Every workflow directory must have a `workflow.yaml` file that defines `workflow-name` and `workflow-artifacts`. You
- can optionally override project-level settings (like `workflow-owner-address`) for specific workflows.
+ To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
+ `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
+ project-level settings (like `workflow-owner-address`) for specific workflows.
diff --git a/src/content/cre/release-notes.mdx b/src/content/cre/release-notes.mdx
index 9c8007fb657..129d61136ca 100644
--- a/src/content/cre/release-notes.mdx
+++ b/src/content/cre/release-notes.mdx
@@ -12,13 +12,26 @@ import { Aside } from "@components"
This page provides detailed release notes for CRE. It includes information on new features, significant changes, and known limitations.
+## CLI v2.0.0 - Upcoming
+
+The next major CRE CLI release updates workflow configuration behavior for private registry deployments.
+
+- **Private registry by default for generated workflows**: New workflow targets generated by CRE CLI v2.0.0 include `deployment-registry: "private"` under `user-workflow`, so new deployments use the Chainlink-hosted private registry unless you choose another registry.
+- **Existing onchain workflows should pin the onchain registry**: Existing users whose workflows were deployed through the public onchain Workflow Registry should add `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before redeploying or updating. This keeps those workflows on the public onchain registry instead of moving management to the private registry.
+- **Migration error for older workflow files**: Existing `workflow.yaml` files created before `deployment-registry` existed may fail after upgrade with a clear error such as `"deployment-registry" is required in target "staging-settings"`. Existing deployed workflows continue running, but redeploy and workflow-management commands may require the config update. Use `deployment-registry: "private"` for Chainlink-hosted private registry management. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow) for the migration path.
+
+**How to update:**
+
+- **Automatic update**: When CLI v2.0.0 is available, the CLI will detect the newer version and prompt you to update. Run `cre update` to install it.
+- **Fresh installation**: If you're installing the CLI for the first time, follow the [CLI Installation guide](/cre/getting-started/cli-installation).
+
## CLI v1.13.0 - April 28, 2026
**CRE CLI version 1.13.0 is now available.**
-- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the on-chain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **Privately managed workflows**: A new Chainlink-hosted **private** registry is now available alongside the onchain Workflow Registry. Workflows on the private registry are managed entirely with your CRE login session — no wallet linking, no gas, no Ethereum Mainnet RPC required. Pick a registry per target by setting `user-workflow.deployment-registry` in your `workflow.yaml` to either `"private"` or `"onchain:ethereum-mainnet"`. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **Browser auth for secrets**: `cre secrets create | update | delete | list` now accept `--secrets-auth=browser` to authorize the operation through a browser-based OAuth flow against the Vault DON, using your CRE login session instead of a linked workflow owner address. See [Auth modes](/cre/reference/cli/secrets#auth-modes).
-- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the on-chain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
+- **Breaking change — default deployment registry**: The default value for `user-workflow.deployment-registry` is now `"private"`. Existing users whose workflows were deployed to the onchain Ethereum Mainnet registry must explicitly set `deployment-registry: "onchain:ethereum-mainnet"` under `user-workflow:` for each affected target before running `cre workflow deploy` again — otherwise the next deploy (including upserts to existing workflows) will be routed to the private registry. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) for the field reference and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the migration path.
**How to update:**
From e593ff36c89c78090c7c31ab71396faf4808a3a3 Mon Sep 17 00:00:00 2001
From: devin distefano
Date: Wed, 6 May 2026 17:41:54 -0500
Subject: [PATCH 3/4] updates
---
src/config/sidebar.ts | 4 +
.../getting-started/before-you-build-go.mdx | 4 +-
.../getting-started/before-you-build-ts.mdx | 4 +-
.../part-1-project-setup-go.mdx | 1 +
.../part-1-project-setup-ts.mdx | 1 +
.../activating-pausing-workflows.mdx | 2 +-
.../guides/operations/deleting-workflows.mdx | 2 +-
.../deploying-to-private-registry.mdx | 290 ++++++++++
.../guides/operations/deploying-workflows.mdx | 136 +----
.../updating-deployed-workflows.mdx | 2 +-
src/content/cre/llms-full-go.txt | 507 ++++++++++++------
src/content/cre/llms-full-ts.txt | 507 ++++++++++++------
.../cre/reference/cli/project-setup-go.mdx | 21 +-
.../cre/reference/cli/project-setup-ts.mdx | 21 +-
src/content/cre/reference/cli/registry.mdx | 6 +-
.../reference/project-configuration-go.mdx | 33 +-
.../reference/project-configuration-ts.mdx | 33 +-
src/content/cre/service-quotas.mdx | 17 +
18 files changed, 1064 insertions(+), 527 deletions(-)
create mode 100644 src/content/cre/guides/operations/deploying-to-private-registry.mdx
diff --git a/src/config/sidebar.ts b/src/config/sidebar.ts
index 47a3e3c5b26..db5c3be77a6 100644
--- a/src/config/sidebar.ts
+++ b/src/config/sidebar.ts
@@ -450,6 +450,10 @@ export const SIDEBAR: Partial> = {
title: "Deploying Workflows",
url: "cre/guides/operations/deploying-workflows",
},
+ {
+ title: "Deploying to the Private Registry",
+ url: "cre/guides/operations/deploying-to-private-registry",
+ },
{
title: "Activating & Pausing Workflows",
url: "cre/guides/operations/activating-pausing-workflows",
diff --git a/src/content/cre/getting-started/before-you-build-go.mdx b/src/content/cre/getting-started/before-you-build-go.mdx
index 4ab8e6db38d..2114f1009f7 100644
--- a/src/content/cre/getting-started/before-you-build-go.mdx
+++ b/src/content/cre/getting-started/before-you-build-go.mdx
@@ -56,8 +56,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
-1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
+1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Required for the default onchain Workflow Registry. Not needed when using `deployment-registry: "private"`.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Optionally set `deployment-registry: "private"` in `workflow.yaml` to use the Chainlink-hosted private registry (no linked key or gas required for registry operations).
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/before-you-build-ts.mdx b/src/content/cre/getting-started/before-you-build-ts.mdx
index c322b79677c..4cd184fff16 100644
--- a/src/content/cre/getting-started/before-you-build-ts.mdx
+++ b/src/content/cre/getting-started/before-you-build-ts.mdx
@@ -122,8 +122,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
-1. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
+1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Required for the default onchain Workflow Registry. Not needed when using `deployment-registry: "private"`.
+1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Optionally set `deployment-registry: "private"` in `workflow.yaml` to use the Chainlink-hosted private registry (no linked key or gas required for registry operations).
1. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
diff --git a/src/content/cre/getting-started/part-1-project-setup-go.mdx b/src/content/cre/getting-started/part-1-project-setup-go.mdx
index d70935a9e87..1a38f21bd69 100644
--- a/src/content/cre/getting-started/part-1-project-setup-go.mdx
+++ b/src/content/cre/getting-started/part-1-project-setup-go.mdx
@@ -86,6 +86,7 @@ The CRE CLI provides an `init` command to scaffold a new project. It's an intera
- **Language**: Select `Golang` and press Enter.
- **Pick a workflow template**: Use the arrow keys to select `Helloworld: A Golang Hello World example` and press Enter. We are starting from scratch to learn all the configuration steps.
- **Workflow name**:
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+{/* prettier-ignore */}
+
+ The private registry is a private, centralized control plane for workflow management. **It does not make workflow execution confidential.** See [Private workflow](/cre/key-terms#private-workflow) in Key Terms for the distinction.
+
+
+## Prerequisites
+
+Before deploying to the private registry, ensure you have:
+
+- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
+- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+Unlike the public onchain registry, you do **not** need:
+
+- A linked wallet key (`cre account link-key`)
+- `CRE_ETH_PRIVATE_KEY` in your `.env` file
+- An Ethereum Mainnet RPC URL in `project.yaml`
+- ETH for gas
+
+## Step 1: Confirm the private registry is available
+
+Run `cre registry list` to see the registries available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
+
+## Step 2: Add `deployment-registry` to your `workflow.yaml`
+
+Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+
+**TypeScript:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+**Go:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "."
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
+
+{/* prettier-ignore */}
+
+ `deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
+
+
+## Step 3: Deploy the workflow
+
+From your project root, run the deploy command with your target:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with the private registry using your CRE login session. There is no transaction prompt.
+
+**Example output:**
+
+```
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.staging.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
+The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
+
+## Step 4: Verify the deployment
+
+Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
+
+```bash
+cre workflow list
+```
+
+Workflows deployed to the private registry are tagged with the registry ID `private` in the list output. You can also filter to only show private registry workflows:
+
+```bash
+cre workflow list --registry private
+```
+
+You can also view the workflow in the [CRE platform](https://app.chain.link/cre/discover) under **Workflows**.
+
+## Managing a private registry workflow
+
+All standard lifecycle commands work the same way for private registry workflows. The CLI routes the operation through the Chainlink-hosted registry automatically based on the `deployment-registry` value in your `workflow.yaml`.
+
+### Activate
+
+```bash
+cre workflow activate my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to activate... Name=my-workflow
+
+Processing activation for workflow ID ...
+✓ Workflow activated successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Owner:
+```
+
+### Pause
+
+```bash
+cre workflow pause my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to pause... Name=my-workflow
+
+Processing pause for workflow ID ...
+✓ Workflow paused successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Paused
+ Owner:
+```
+
+### Update
+
+Redeploy with the same workflow name to update a private registry workflow. The CLI replaces the existing registration:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI prompts you to confirm before overwriting the existing workflow. Pass `--yes` to skip the prompt.
+
+### Delete
+
+```bash
+cre workflow delete my-workflow --target staging-settings
+```
+
+The CLI fetches the workflow, displays its details, and prompts you to type the workflow name to confirm. This action is permanent.
+
+{/* prettier-ignore */}
+
+ Deleting a workflow from the private registry permanently removes it and cannot be undone. The workflow will no longer respond to triggers.
+
+
+## Secrets with the private registry
+
+Secrets for private registry workflows are authorized through a browser-based OAuth (PKCE) flow rather than your linked wallet key. Use the `--secrets-auth=browser` flag on any `cre secrets` command:
+
+```bash
+# Create secrets for a private registry workflow
+cre secrets create secrets.yaml --target staging-settings --secrets-auth=browser
+
+# Update secrets
+cre secrets update secrets.yaml --target staging-settings --secrets-auth=browser
+
+# List secrets
+cre secrets list --target staging-settings --secrets-auth=browser
+```
+
+When you pass `--secrets-auth=browser`, the CLI opens a browser window to authorize the operation against the Vault DON using your CRE login session. No wallet, no `workflow-owner-address`, and no gas are required.
+
+See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the full secrets guide.
+
+## CI/CD with the private registry
+
+Because the private registry does not require `CRE_ETH_PRIVATE_KEY` or an Ethereum Mainnet RPC, CI/CD pipelines are simpler. You only need `CRE_API_KEY`:
+
+```yaml
+# .github/workflows/deploy-private.yml
+name: Deploy to Private Registry
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --target staging-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+```
+
+{/* prettier-ignore */}
+
+ Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
+- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
diff --git a/src/content/cre/guides/operations/deploying-workflows.mdx b/src/content/cre/guides/operations/deploying-workflows.mdx
index 4f8839a4749..f865df260ad 100644
--- a/src/content/cre/guides/operations/deploying-workflows.mdx
+++ b/src/content/cre/guides/operations/deploying-workflows.mdx
@@ -18,38 +18,6 @@ import { Aside } from "@components"
-{/* prettier-ignore */}
-
- Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
- `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
- field when you want a different registry, such as the public onchain Workflow Registry.
-
-Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
-
-```text
-Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
-Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
-Run "cre registry list" to see your available registries.
-```
-
-Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
-
-```yaml
-user-workflow:
- workflow-name: "my-workflow-production"
- deployment-registry: "private"
-```
-
-See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-
-
-
When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
@@ -68,7 +36,7 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
@@ -87,12 +55,12 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
@@ -127,100 +95,9 @@ Use this flow when `deployment-registry: "private"`:
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## Migrate an existing workflow
-
-CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
-
-### Who is affected
-
-You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-After upgrading, the CLI reports the missing field and points to the target that needs the update:
-
-```text
-Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
-Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
-Run "cre registry list" to see your available registries.
-```
-
-Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
-
-### Step 1: List available registries
-
-Log in, then list the registries available to your organization:
-
-```bash
-cre login
-cre registry list
-```
-
-Use the `ID` value from the output in `workflow.yaml`.
-
-### Step 2: Choose public or private workflow management
-
-Choose the registry that matches how you want to manage the workflow:
-
-- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
-- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
-
-The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
-
-### Step 3: Update affected targets
-
-Add `deployment-registry` under `user-workflow` for each target that is missing it.
-
-**Keep an existing workflow on the public onchain registry:**
+For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "onchain:ethereum-mainnet"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-**Use the private registry for workflow management:**
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "private"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-Repeat this for `production-settings` and any other target that needs migration.
-
-### Step 4: Re-run the command
-
-After the YAML is updated, rerun the command that failed:
-
-```bash
-cre workflow deploy my-workflow --target staging-settings
-```
-
-If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -239,7 +116,7 @@ Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
@@ -468,6 +345,7 @@ For complete setup instructions, configuration requirements, and step-by-step gu
## Next steps
+- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
diff --git a/src/content/cre/guides/operations/updating-deployed-workflows.mdx b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
index 05c586e27f5..23a5354dd4f 100644
--- a/src/content/cre/guides/operations/updating-deployed-workflows.mdx
+++ b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
@@ -25,7 +25,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 78806a25f94..69a583928aa 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -280,6 +280,23 @@ This page documents the service quotas for Chainlink Runtime Environment (CRE) w
The quotas documented on this page are subject to change. Check back regularly for updates.
+## Per-organization quotas
+
+These quotas apply at the organization level.
+
+### Registry quotas
+
+| Registry | Quota | Value |
+| --------------------------------------------------------------------------- | ------------------------------------ | ----- |
+| Private registry (`deployment-registry: "private"`) | Maximum workflows per organization | 3 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum linked keys per organization | 1 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum workflows per linked key | 3 |
+
+
+
+ Registry quotas are being actively tuned ahead of general availability. Values may increase. Run `cre registry list` to confirm your organization's access.
+
+
## Per-owner quotas
These quotas apply to each workflow owner (user account) within an organization.
@@ -5810,37 +5827,6 @@ Last Updated: 2026-04-30
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-
-
- Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
- `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
- field when you want a different registry, such as the public onchain Workflow Registry.
-
- Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
-
- ```text
- Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
- Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
- Run "cre registry list" to see your available registries.
- ```
-
- Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
-
- ```yaml
- user-workflow:
- workflow-name: "my-workflow-production"
- deployment-registry: "private"
- ```
-
- See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-
-
When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
@@ -5859,7 +5845,7 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
@@ -5878,12 +5864,12 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
@@ -5918,100 +5904,9 @@ Use this flow when `deployment-registry: "private"`:
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## Migrate an existing workflow
-
-CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
-
-### Who is affected
-
-You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-After upgrading, the CLI reports the missing field and points to the target that needs the update:
-
-```text
-Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
-Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
-Run "cre registry list" to see your available registries.
-```
-
-Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
-
-### Step 1: List available registries
-
-Log in, then list the registries available to your organization:
-
-```bash
-cre login
-cre registry list
-```
-
-Use the `ID` value from the output in `workflow.yaml`.
-
-### Step 2: Choose public or private workflow management
-
-Choose the registry that matches how you want to manage the workflow:
-
-- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
-- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
-
-The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
-
-### Step 3: Update affected targets
-
-Add `deployment-registry` under `user-workflow` for each target that is missing it.
-
-**Keep an existing workflow on the public onchain registry:**
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "onchain:ethereum-mainnet"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-**Use the private registry for workflow management:**
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "private"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-Repeat this for `production-settings` and any other target that needs migration.
-
-### Step 4: Re-run the command
+For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-After the YAML is updated, rerun the command that failed:
-
-```bash
-cre workflow deploy my-workflow --target staging-settings
-```
-
-If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -6030,7 +5925,7 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
@@ -6259,12 +6154,297 @@ For complete setup instructions, configuration requirements, and step-by-step gu
## Next steps
+- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
---
+# Deploying to the Private Registry
+Source: https://docs.chain.link/cre/guides/operations/deploying-to-private-registry
+Last Updated: 2026-05-06
+
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+
+
+ The private registry is a private, centralized control plane for workflow management. **It does not make workflow execution confidential.** See [Private workflow](/cre/key-terms#private-workflow) in Key Terms for the distinction.
+
+
+## Prerequisites
+
+Before deploying to the private registry, ensure you have:
+
+- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
+- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+Unlike the public onchain registry, you do **not** need:
+
+- A linked wallet key (`cre account link-key`)
+- `CRE_ETH_PRIVATE_KEY` in your `.env` file
+- An Ethereum Mainnet RPC URL in `project.yaml`
+- ETH for gas
+
+## Step 1: Confirm the private registry is available
+
+Run `cre registry list` to see the registries available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
+
+## Step 2: Add `deployment-registry` to your `workflow.yaml`
+
+Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+
+**TypeScript:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+**Go:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "."
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
+
+
+
+ `deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
+
+
+## Step 3: Deploy the workflow
+
+From your project root, run the deploy command with your target:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with the private registry using your CRE login session. There is no transaction prompt.
+
+**Example output:**
+
+```
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.staging.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
+The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
+
+## Step 4: Verify the deployment
+
+Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
+
+```bash
+cre workflow list
+```
+
+Workflows deployed to the private registry are tagged with the registry ID `private` in the list output. You can also filter to only show private registry workflows:
+
+```bash
+cre workflow list --registry private
+```
+
+You can also view the workflow in the [CRE platform](https://app.chain.link/cre/discover) under **Workflows**.
+
+## Managing a private registry workflow
+
+All standard lifecycle commands work the same way for private registry workflows. The CLI routes the operation through the Chainlink-hosted registry automatically based on the `deployment-registry` value in your `workflow.yaml`.
+
+### Activate
+
+```bash
+cre workflow activate my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to activate... Name=my-workflow
+
+Processing activation for workflow ID ...
+✓ Workflow activated successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Owner:
+```
+
+### Pause
+
+```bash
+cre workflow pause my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to pause... Name=my-workflow
+
+Processing pause for workflow ID ...
+✓ Workflow paused successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Paused
+ Owner:
+```
+
+### Update
+
+Redeploy with the same workflow name to update a private registry workflow. The CLI replaces the existing registration:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI prompts you to confirm before overwriting the existing workflow. Pass `--yes` to skip the prompt.
+
+### Delete
+
+```bash
+cre workflow delete my-workflow --target staging-settings
+```
+
+The CLI fetches the workflow, displays its details, and prompts you to type the workflow name to confirm. This action is permanent.
+
+
+
+ Deleting a workflow from the private registry permanently removes it and cannot be undone. The workflow will no longer respond to triggers.
+
+
+## Secrets with the private registry
+
+Secrets for private registry workflows are authorized through a browser-based OAuth (PKCE) flow rather than your linked wallet key. Use the `--secrets-auth=browser` flag on any `cre secrets` command:
+
+```bash
+# Create secrets for a private registry workflow
+cre secrets create secrets.yaml --target staging-settings --secrets-auth=browser
+
+# Update secrets
+cre secrets update secrets.yaml --target staging-settings --secrets-auth=browser
+
+# List secrets
+cre secrets list --target staging-settings --secrets-auth=browser
+```
+
+When you pass `--secrets-auth=browser`, the CLI opens a browser window to authorize the operation against the Vault DON using your CRE login session. No wallet, no `workflow-owner-address`, and no gas are required.
+
+See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the full secrets guide.
+
+## CI/CD with the private registry
+
+Because the private registry does not require `CRE_ETH_PRIVATE_KEY` or an Ethereum Mainnet RPC, CI/CD pipelines are simpler. You only need `CRE_API_KEY`:
+
+```yaml
+# .github/workflows/deploy-private.yml
+name: Deploy to Private Registry
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --target staging-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+```
+
+
+
+ Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
+- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
+
+---
+
# Activating & Pausing Workflows
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
@@ -6284,7 +6464,7 @@ Before activating or pausing workflows, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -6455,7 +6635,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -6519,7 +6699,7 @@ Before deleting a workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -9645,15 +9825,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
-The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
@@ -10560,8 +10740,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
-2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
+1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Required for the default onchain Workflow Registry. Not needed when using `deployment-registry: "private"`.
+2. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Optionally set `deployment-registry: "private"` in `workflow.yaml` to use the Chainlink-hosted private registry (no linked key or gas required for registry operations).
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10762,6 +10942,7 @@ The CRE CLI provides an `init` command to scaffold a new project. It's an intera
- **Language**: Select `Golang` and press Enter.
- **Pick a workflow template**: Use the arrow keys to select `Helloworld: A Golang Hello World example` and press Enter. We are starting from scratch to learn all the configuration steps.
- **Workflow name**: my-calculator-workflow
+ - **Deployment registry**: Select your preferred registry. Private (off-chain) registries appear first — choose `private` for quick testing without a wallet or gas, or `onchain:ethereum-mainnet` for the public Workflow Registry. If no registries appear, this step is skipped.
The CLI will then create a new `onchain-calculator` directory and initialize your first workflow within it.
@@ -16261,14 +16442,15 @@ cre init [flags]
**Flags:**
-| Flag | Description |
-| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
-| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
-| `-t, --template` | Template name to use (for example `hello-world-go`). Run `cre templates list` to see IDs and required networks. |
-| `-w, --workflow-name` | Name for the new workflow. |
-| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
-| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
+| Flag | Description |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
+| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
+| `-t, --template` | Template name to use (for example `hello-world-go`). Run `cre templates list` to see IDs and required networks. |
+| `-w, --workflow-name` | Name for the new workflow. |
+| `--deployment-registry` | Registry ID to write into the generated `workflow.yaml` (e.g. `private` or `onchain:ethereum-mainnet`). Run `cre registry list` to see available IDs. In `--non-interactive` mode, omitting this flag prints a warning and defaults to on-chain. |
+| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
+| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
Inherited [global flags](/cre/reference/cli#global-flags) include **`-R, --project-root`**, which `cre init` uses as the directory where the project is created when you pass it explicitly.
@@ -16280,6 +16462,7 @@ Running `cre init` without flags starts an interactive setup that guides you thr
2. **Language** (Go or TypeScript)
3. **Workflow template** (fetched dynamically from configured template sources)
4. **Workflow name**
+5. **Deployment registry** — select which registry the generated `workflow.yaml` targets. Private (off-chain) registries appear first with the cursor defaulted to them. If your organization has no registries configured, this step is skipped and the field is omitted from `workflow.yaml`.
@@ -16303,12 +16486,13 @@ cre init \
--project-name my-cre-project \
--workflow-name my-workflow \
--template hello-world-go \
+ --deployment-registry private \
--rpc-url sepolia=https://sepolia.infura.io/v3/YOUR_KEY
```
- For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error—pass the needed **`--rpc-url`** flags up front.
+ For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error — pass the needed flags up front. If `--deployment-registry` is omitted in `--non-interactive` mode, the CLI prints a warning and defaults to the onchain registry.
For a detailed walkthrough, see [Part 1 of the Getting Started guide](/cre/getting-started/part-1-project-setup).
@@ -16722,20 +16906,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
-
- Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
- `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
- required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
- continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
- for the migration path.
-
-
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Private, centralized, offchain registry management.
+ # deployment-registry: "private" # Optional (new in v1.14.0). Omit to use the default onchain registry.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -16745,7 +16921,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
+ # deployment-registry: "onchain:ethereum-mainnet" # Explicit onchain registry (also the default when omitted).
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -16754,19 +16930,20 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | New in v1.14.0. Selects which registry receives this target's deployment. When omitted, the CLI defaults to the public onchain Workflow Registry (same behavior as before v1.14.0). Set to `"private"` for Chainlink-hosted private registry management via your CRE login session (no linked key or gas required for registry operations). Set to `"onchain:ethereum-mainnet"` to explicitly target the public onchain Workflow Registry. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available to your organization. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
- `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
- project-level settings (like `workflow-owner-address`) for specific workflows.
+ `workflow-name` and `workflow-artifacts` for each target. `deployment-registry` is optional — omit it to use the
+ default onchain registry, or set it to `"private"` to use the Chainlink-hosted private registry. You can optionally
+ override project-level settings (like `workflow-owner-address`) for specific workflows.
### 3.3. Secrets configuration (`secrets.yaml`)
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index a0164e947e5..e6231af92c4 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -280,6 +280,23 @@ This page documents the service quotas for Chainlink Runtime Environment (CRE) w
The quotas documented on this page are subject to change. Check back regularly for updates.
+## Per-organization quotas
+
+These quotas apply at the organization level.
+
+### Registry quotas
+
+| Registry | Quota | Value |
+| --------------------------------------------------------------------------- | ------------------------------------ | ----- |
+| Private registry (`deployment-registry: "private"`) | Maximum workflows per organization | 3 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum linked keys per organization | 1 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum workflows per linked key | 3 |
+
+
+
+ Registry quotas are being actively tuned ahead of general availability. Values may increase. Run `cre registry list` to confirm your organization's access.
+
+
## Per-owner quotas
These quotas apply to each workflow owner (user account) within an organization.
@@ -4909,37 +4926,6 @@ Last Updated: 2026-04-30
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-
-
- Starting with CRE CLI v2.0.0, newly generated workflow targets include `deployment-registry: "private"` under
- `user-workflow`, so new deployments use the Chainlink-hosted private registry by default. You only need to edit this
- field when you want a different registry, such as the public onchain Workflow Registry.
-
- Existing `workflow.yaml` files created before this field existed may fail after the CLI upgrade with an error like:
-
- ```text
- Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
- Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
- Run "cre registry list" to see your available registries.
- ```
-
- Existing deployed workflows continue running. If you hit this error while redeploying or updating, add the field to each affected target:
-
- ```yaml
- user-workflow:
- workflow-name: "my-workflow-production"
- deployment-registry: "private"
- ```
-
- See [Migrate an existing workflow](#migrate-an-existing-workflow) below for the full migration path.
-
-
When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
@@ -4958,7 +4944,7 @@ Before you can deploy a workflow, you must have:
- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **A `deployment-registry` value in `workflow.yaml`**: Updated CLI-generated targets include `deployment-registry: "private"` by default. For older workflow files, make sure the target has a registry ID from `cre registry list`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
@@ -4977,12 +4963,12 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
@@ -5017,100 +5003,9 @@ Use this flow when `deployment-registry: "private"`:
2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## Migrate an existing workflow
-
-CRE CLI v2.0.0 defaults new workflow targets to the private registry. Existing deployed workflows continue to run, but older `workflow.yaml` files may not have `deployment-registry` yet. If a redeploy, recompile, or workflow-management command reports the missing field, update the affected target before rerunning the command.
-
-### Who is affected
-
-You need to migrate if your workflow target has a `user-workflow` section without `deployment-registry`:
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
+For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-After upgrading, the CLI reports the missing field and points to the target that needs the update:
-
-```text
-Error: "deployment-registry" is required in target "staging-settings" as of CRE CLI v2.0.0.
-
-Add the field to your workflow.yaml under each target's user-workflow section:
-
- staging-settings:
- user-workflow:
- deployment-registry: "private"
-
-Run "cre registry list" to see your available registries.
-```
-
-Use `private` for Chainlink-hosted private registry management. If your existing workflow was already managed through the public onchain registry, use `onchain:ethereum-mainnet` instead so the workflow stays on the same registry.
-
-### Step 1: List available registries
-
-Log in, then list the registries available to your organization:
-
-```bash
-cre login
-cre registry list
-```
-
-Use the `ID` value from the output in `workflow.yaml`.
-
-### Step 2: Choose public or private workflow management
-
-Choose the registry that matches how you want to manage the workflow:
-
-- Choose `onchain:ethereum-mainnet` to keep an existing public/onchain workflow on the same public registry. This keeps the linked-key and gas-based management path.
-- Choose `private` for private, centralized, offchain workflow management. This removes linked-key, Ethereum Mainnet RPC, and gas requirements for workflow registry operations.
-
-The private registry only changes workflow management. It does not make execution confidential, and it does not replace any gas or funding requirements that apply to onchain actions performed by the workflow itself.
-
-### Step 3: Update affected targets
-
-Add `deployment-registry` under `user-workflow` for each target that is missing it.
-
-**Keep an existing workflow on the public onchain registry:**
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "onchain:ethereum-mainnet"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-**Use the private registry for workflow management:**
-
-```yaml
-staging-settings:
- user-workflow:
- workflow-name: "my-workflow-staging"
- deployment-registry: "private"
- workflow-artifacts:
- workflow-path: "./main.ts"
- config-path: "./config.staging.json"
-```
-
-Repeat this for `production-settings` and any other target that needs migration.
-
-### Step 4: Re-run the command
-
-After the YAML is updated, rerun the command that failed:
-
-```bash
-cre workflow deploy my-workflow --target staging-settings
-```
-
-If you chose `onchain:ethereum-mainnet`, keep your linked wallet key, `CRE_ETH_PRIVATE_KEY`, Ethereum Mainnet RPC, and funded wallet configuration. If you chose `private`, workflow deployment and lifecycle management use your CRE login session instead.
+If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
## The deployment process
@@ -5129,7 +5024,7 @@ The `cre workflow deploy` command handles the entire end-to-end process for you:
### Step 1: Ensure your configuration is correct
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` and `deployment-registry` fields are required under the `user-workflow` section for your target environment.
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
@@ -5358,12 +5253,297 @@ For complete setup instructions, configuration requirements, and step-by-step gu
## Next steps
+- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
---
+# Deploying to the Private Registry
+Source: https://docs.chain.link/cre/guides/operations/deploying-to-private-registry
+Last Updated: 2026-05-06
+
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+
+
+ The private registry is a private, centralized control plane for workflow management. **It does not make workflow execution confidential.** See [Private workflow](/cre/key-terms#private-workflow) in Key Terms for the distinction.
+
+
+## Prerequisites
+
+Before deploying to the private registry, ensure you have:
+
+- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
+- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+Unlike the public onchain registry, you do **not** need:
+
+- A linked wallet key (`cre account link-key`)
+- `CRE_ETH_PRIVATE_KEY` in your `.env` file
+- An Ethereum Mainnet RPC URL in `project.yaml`
+- ETH for gas
+
+## Step 1: Confirm the private registry is available
+
+Run `cre registry list` to see the registries available to your organization:
+
+```bash
+cre registry list
+```
+
+**Example output:**
+
+```
+Registries available to your organization
+
+ethereum-mainnet (0x4Ac5...E7e5)
+ ID: onchain:ethereum-mainnet
+ Type: on-chain
+ Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+
+Private (Chainlink-hosted)
+ ID: private
+ Type: off-chain
+```
+
+You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
+
+## Step 2: Add `deployment-registry` to your `workflow.yaml`
+
+Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+
+**TypeScript:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "./main.ts"
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+**Go:**
+
+```yaml
+# workflow.yaml
+staging-settings:
+ user-workflow:
+ workflow-name: "my-workflow-staging"
+ deployment-registry: "private"
+ workflow-artifacts:
+ workflow-path: "."
+ config-path: "./config.staging.json"
+ secrets-path: ""
+```
+
+The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
+
+
+
+ `deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
+
+
+## Step 3: Deploy the workflow
+
+From your project root, run the deploy command with your target:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with the private registry using your CRE login session. There is no transaction prompt.
+
+**Example output:**
+
+```
+Deploying Workflow : my-workflow
+Target : staging-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.staging.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Registering workflow in private registry (workflowID: )...
+✓ Workflow registered in private registry
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+ Owner:
+```
+
+The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
+
+## Step 4: Verify the deployment
+
+Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
+
+```bash
+cre workflow list
+```
+
+Workflows deployed to the private registry are tagged with the registry ID `private` in the list output. You can also filter to only show private registry workflows:
+
+```bash
+cre workflow list --registry private
+```
+
+You can also view the workflow in the [CRE platform](https://app.chain.link/cre/discover) under **Workflows**.
+
+## Managing a private registry workflow
+
+All standard lifecycle commands work the same way for private registry workflows. The CLI routes the operation through the Chainlink-hosted registry automatically based on the `deployment-registry` value in your `workflow.yaml`.
+
+### Activate
+
+```bash
+cre workflow activate my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to activate... Name=my-workflow
+
+Processing activation for workflow ID ...
+✓ Workflow activated successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Active
+ Owner:
+```
+
+### Pause
+
+```bash
+cre workflow pause my-workflow --target staging-settings
+```
+
+**Example output:**
+
+```
+Fetching workflow to pause... Name=my-workflow
+
+Processing pause for workflow ID ...
+✓ Workflow paused successfully
+
+Details:
+ Registry: private
+ Workflow Name: my-workflow
+ Workflow ID:
+ Status: Paused
+ Owner:
+```
+
+### Update
+
+Redeploy with the same workflow name to update a private registry workflow. The CLI replaces the existing registration:
+
+```bash
+cre workflow deploy my-workflow --target staging-settings
+```
+
+The CLI prompts you to confirm before overwriting the existing workflow. Pass `--yes` to skip the prompt.
+
+### Delete
+
+```bash
+cre workflow delete my-workflow --target staging-settings
+```
+
+The CLI fetches the workflow, displays its details, and prompts you to type the workflow name to confirm. This action is permanent.
+
+
+
+ Deleting a workflow from the private registry permanently removes it and cannot be undone. The workflow will no longer respond to triggers.
+
+
+## Secrets with the private registry
+
+Secrets for private registry workflows are authorized through a browser-based OAuth (PKCE) flow rather than your linked wallet key. Use the `--secrets-auth=browser` flag on any `cre secrets` command:
+
+```bash
+# Create secrets for a private registry workflow
+cre secrets create secrets.yaml --target staging-settings --secrets-auth=browser
+
+# Update secrets
+cre secrets update secrets.yaml --target staging-settings --secrets-auth=browser
+
+# List secrets
+cre secrets list --target staging-settings --secrets-auth=browser
+```
+
+When you pass `--secrets-auth=browser`, the CLI opens a browser window to authorize the operation against the Vault DON using your CRE login session. No wallet, no `workflow-owner-address`, and no gas are required.
+
+See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the full secrets guide.
+
+## CI/CD with the private registry
+
+Because the private registry does not require `CRE_ETH_PRIVATE_KEY` or an Ethereum Mainnet RPC, CI/CD pipelines are simpler. You only need `CRE_API_KEY`:
+
+```yaml
+# .github/workflows/deploy-private.yml
+name: Deploy to Private Registry
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --target staging-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+```
+
+
+
+ Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
+- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
+
+---
+
# Activating & Pausing Workflows
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
@@ -5383,7 +5563,7 @@ Before activating or pausing workflows, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -5554,7 +5734,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -5618,7 +5798,7 @@ Before deleting a workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **A `deployment-registry` value**: Updated CLI-generated targets use `private` by default. For older workflow files, make sure the target has `deployment-registry: "private"` or `deployment-registry: "onchain:ethereum-mainnet"`.
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -9258,15 +9438,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
-The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
@@ -10453,8 +10633,8 @@ Here are resources to help you go from simulation to production.
Deploying requires Early Access approval. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access). While you wait, continue building and simulating workflows.
-1. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Set `deployment-registry` in `workflow.yaml` to choose private registry management or the public onchain Workflow Registry.
-2. **(Optional) [Link a Wallet Key](/cre/organization/linking-keys)** — Only needed if you set `deployment-registry: "onchain:ethereum-mainnet"`.
+1. **[Link a Wallet Key](/cre/organization/linking-keys)** — Required for the default onchain Workflow Registry. Not needed when using `deployment-registry: "private"`.
+2. **[Deploy Your Workflow](/cre/guides/operations/deploying-workflows)** — Push your workflow live. Optionally set `deployment-registry: "private"` in `workflow.yaml` to use the Chainlink-hosted private registry (no linked key or gas required for registry operations).
3. **[Monitor Your Workflow](/cre/guides/operations/monitoring-workflows)** — Watch it execute and debug issues
### Explore different triggers
@@ -10655,6 +10835,7 @@ The CRE CLI provides an `init` command to scaffold a new project. It's an intera
- **Language**: Select `Typescript` and press Enter.
- **Pick a workflow template**: Use the arrow keys to select `Helloworld: Typescript Hello World example` and press Enter. We are starting from scratch to learn all the configuration steps.
- **Workflow name**: my-calculator-workflow
+ - **Deployment registry**: Select your preferred registry. Private (off-chain) registries appear first — choose `private` for quick testing without a wallet or gas, or `onchain:ethereum-mainnet` for the public Workflow Registry. If no registries appear, this step is skipped.
The CLI will then create a new `onchain-calculator` directory and initialize your first workflow within it.
@@ -16188,14 +16369,15 @@ cre init [flags]
**Flags:**
-| Flag | Description |
-| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
-| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
-| `-t, --template` | Template name to use (for example `hello-world-ts`). Run `cre templates list` to see IDs and required networks. |
-| `-w, --workflow-name` | Name for the new workflow. |
-| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
-| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
+| Flag | Description |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
+| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
+| `-t, --template` | Template name to use (for example `hello-world-ts`). Run `cre templates list` to see IDs and required networks. |
+| `-w, --workflow-name` | Name for the new workflow. |
+| `--deployment-registry` | Registry ID to write into the generated `workflow.yaml` (e.g. `private` or `onchain:ethereum-mainnet`). Run `cre registry list` to see available IDs. In `--non-interactive` mode, omitting this flag prints a warning and defaults to on-chain. |
+| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
+| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
Inherited [global flags](/cre/reference/cli#global-flags) include **`-R, --project-root`**, which `cre init` uses as the directory where the project is created when you pass it explicitly.
@@ -16207,6 +16389,7 @@ Running `cre init` without flags starts an interactive setup that guides you thr
2. **Language** (Go or TypeScript)
3. **Workflow template** (fetched dynamically from configured template sources)
4. **Workflow name**
+5. **Deployment registry** — select which registry the generated `workflow.yaml` targets. Private (off-chain) registries appear first with the cursor defaulted to them. If your organization has no registries configured, this step is skipped and the field is omitted from `workflow.yaml`.
@@ -16230,12 +16413,13 @@ cre init \
--project-name my-cre-project \
--workflow-name my-workflow \
--template hello-world-ts \
+ --deployment-registry private \
--rpc-url sepolia=https://sepolia.infura.io/v3/YOUR_KEY
```
- For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error—pass the needed **`--rpc-url`** flags up front.
+ For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error — pass the needed flags up front. If `--deployment-registry` is omitted in `--non-interactive` mode, the CLI prints a warning and defaults to the onchain registry.
For a detailed walkthrough, see [Part 1 of the Getting Started guide](/cre/getting-started/part-1-project-setup).
@@ -16580,20 +16764,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
-
- Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
- `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
- required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
- continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
- for the migration path.
-
-
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Private, centralized, offchain registry management.
+ # deployment-registry: "private" # Optional (new in v1.14.0). Omit to use the default onchain registry.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -16603,7 +16779,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
+ # deployment-registry: "onchain:ethereum-mainnet" # Explicit onchain registry (also the default when omitted).
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -16612,19 +16788,20 @@ production-settings:
#### Configuration fields
-| Field | Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field | Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | New in v1.14.0. Selects which registry receives this target's deployment. When omitted, the CLI defaults to the public onchain Workflow Registry (same behavior as before v1.14.0). Set to `"private"` for Chainlink-hosted private registry management via your CRE login session (no linked key or gas required for registry operations). Set to `"onchain:ethereum-mainnet"` to explicitly target the public onchain Workflow Registry. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available to your organization. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
- `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
- project-level settings (like `workflow-owner-address`) for specific workflows.
+ `workflow-name` and `workflow-artifacts` for each target. `deployment-registry` is optional — omit it to use the
+ default onchain registry, or set it to `"private"` to use the Chainlink-hosted private registry. You can optionally
+ override project-level settings (like `workflow-owner-address`) for specific workflows.
diff --git a/src/content/cre/reference/cli/project-setup-go.mdx b/src/content/cre/reference/cli/project-setup-go.mdx
index 3f030dfcbd2..834a95dcff8 100644
--- a/src/content/cre/reference/cli/project-setup-go.mdx
+++ b/src/content/cre/reference/cli/project-setup-go.mdx
@@ -40,14 +40,15 @@ cre init [flags]
**Flags:**
-| Flag | Description |
-| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
-| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
-| `-t, --template` | Template name to use (for example `hello-world-go`). Run `cre templates list` to see IDs and required networks. |
-| `-w, --workflow-name` | Name for the new workflow. |
-| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
-| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
+| Flag | Description |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
+| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
+| `-t, --template` | Template name to use (for example `hello-world-go`). Run `cre templates list` to see IDs and required networks. |
+| `-w, --workflow-name` | Name for the new workflow. |
+| `--deployment-registry` | Registry ID to write into the generated `workflow.yaml` (e.g. `private` or `onchain:ethereum-mainnet`). Run `cre registry list` to see available IDs. In `--non-interactive` mode, omitting this flag prints a warning and defaults to on-chain. |
+| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
+| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
Inherited [global flags](/cre/reference/cli#global-flags) include **`-R, --project-root`**, which `cre init` uses as the directory where the project is created when you pass it explicitly.
@@ -59,6 +60,7 @@ Running `cre init` without flags starts an interactive setup that guides you thr
1. **Language** (Go or TypeScript)
1. **Workflow template** (fetched dynamically from configured template sources)
1. **Workflow name**
+1. **Deployment registry** — select which registry the generated `workflow.yaml` targets. Private (off-chain) registries appear first with the cursor defaulted to them. If your organization has no registries configured, this step is skipped and the field is omitted from `workflow.yaml`.
{/* prettier-ignore */}
@@ -82,12 +84,13 @@ cre init \
--project-name my-cre-project \
--workflow-name my-workflow \
--template hello-world-go \
+ --deployment-registry private \
--rpc-url sepolia=https://sepolia.infura.io/v3/YOUR_KEY
```
{/* prettier-ignore */}
- For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error—pass the needed **`--rpc-url`** flags up front.
+ For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error — pass the needed flags up front. If `--deployment-registry` is omitted in `--non-interactive` mode, the CLI prints a warning and defaults to the onchain registry.
For a detailed walkthrough, see [Part 1 of the Getting Started guide](/cre/getting-started/part-1-project-setup).
diff --git a/src/content/cre/reference/cli/project-setup-ts.mdx b/src/content/cre/reference/cli/project-setup-ts.mdx
index 88a5e9fb0fb..62be7759e91 100644
--- a/src/content/cre/reference/cli/project-setup-ts.mdx
+++ b/src/content/cre/reference/cli/project-setup-ts.mdx
@@ -40,14 +40,15 @@ cre init [flags]
**Flags:**
-| Flag | Description |
-| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
-| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
-| `-t, --template` | Template name to use (for example `hello-world-ts`). Run `cre templates list` to see IDs and required networks. |
-| `-w, --workflow-name` | Name for the new workflow. |
-| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
-| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
+| Flag | Description |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `--non-interactive` | Fail instead of prompting; supply all inputs via flags (for **CI/CD** and non-TTY environments). |
+| `-p, --project-name` | Name for the new project (required for a new project when using `--non-interactive`). |
+| `-t, --template` | Template name to use (for example `hello-world-ts`). Run `cre templates list` to see IDs and required networks. |
+| `-w, --workflow-name` | Name for the new workflow. |
+| `--deployment-registry` | Registry ID to write into the generated `workflow.yaml` (e.g. `private` or `onchain:ethereum-mainnet`). Run `cre registry list` to see available IDs. In `--non-interactive` mode, omitting this flag prints a warning and defaults to on-chain. |
+| `--refresh` | Bypass the template cache and fetch fresh data from GitHub. |
+| `--rpc-url` | RPC endpoint for a chain, repeatable. Format: `chain-name=url`. Often **required** with `--non-interactive` when the template needs RPCs. |
Inherited [global flags](/cre/reference/cli#global-flags) include **`-R, --project-root`**, which `cre init` uses as the directory where the project is created when you pass it explicitly.
@@ -59,6 +60,7 @@ Running `cre init` without flags starts an interactive setup that guides you thr
1. **Language** (Go or TypeScript)
1. **Workflow template** (fetched dynamically from configured template sources)
1. **Workflow name**
+1. **Deployment registry** — select which registry the generated `workflow.yaml` targets. Private (off-chain) registries appear first with the cursor defaulted to them. If your organization has no registries configured, this step is skipped and the field is omitted from `workflow.yaml`.
{/* prettier-ignore */}
@@ -82,12 +84,13 @@ cre init \
--project-name my-cre-project \
--workflow-name my-workflow \
--template hello-world-ts \
+ --deployment-registry private \
--rpc-url sepolia=https://sepolia.infura.io/v3/YOUR_KEY
```
{/* prettier-ignore */}
- For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error—pass the needed **`--rpc-url`** flags up front.
+ For most users, `cre init` without flags is easiest. With **`--non-interactive`**, the CLI does not prompt; if RPC URLs are required and there is no TTY, you get a clear error — pass the needed flags up front. If `--deployment-registry` is omitted in `--non-interactive` mode, the CLI prints a warning and defaults to the onchain registry.
For a detailed walkthrough, see [Part 1 of the Getting Started guide](/cre/getting-started/part-1-project-setup).
diff --git a/src/content/cre/reference/cli/registry.mdx b/src/content/cre/reference/cli/registry.mdx
index 5004f06f8e2..6ba3e83940b 100644
--- a/src/content/cre/reference/cli/registry.mdx
+++ b/src/content/cre/reference/cli/registry.mdx
@@ -50,15 +50,15 @@ Registries available to your organization
ethereum-mainnet (0x4Ac5...E7e5)
ID: onchain:ethereum-mainnet
- Type: onchain
+ Type: on-chain
Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
Private (Chainlink-hosted)
ID: private
- Type: offchain
+ Type: off-chain
```
-The `ID` value is what you put in the required `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
If no registries are found for your environment, the command prints a warning and exits cleanly.
diff --git a/src/content/cre/reference/project-configuration-go.mdx b/src/content/cre/reference/project-configuration-go.mdx
index 3e9e6e480d3..58dee5e4139 100644
--- a/src/content/cre/reference/project-configuration-go.mdx
+++ b/src/content/cre/reference/project-configuration-go.mdx
@@ -131,20 +131,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name.
-
- Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
- `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
- required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
- continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
- for the migration path.
-
-
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Private, centralized, offchain registry management.
+ # deployment-registry: "private" # Optional (new in v1.14.0). Omit to use the default onchain registry.
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.staging.json"
@@ -154,7 +146,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
+ # deployment-registry: "onchain:ethereum-mainnet" # Explicit onchain registry (also the default when omitted).
workflow-artifacts:
workflow-path: "." # Points to the workflow directory
config-path: "./config.production.json"
@@ -163,19 +155,20 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | New in v1.14.0. Selects which registry receives this target's deployment. When omitted, the CLI defaults to the public onchain Workflow Registry (same behavior as before v1.14.0). Set to `"private"` for Chainlink-hosted private registry management via your CRE login session (no linked key or gas required for registry operations). Set to `"onchain:ethereum-mainnet"` to explicitly target the public onchain Workflow Registry. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available to your organization. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For Go: `"."` (current directory). For TypeScript: `"./main.ts"` (or your entry file name). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
- `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
- project-level settings (like `workflow-owner-address`) for specific workflows.
+ `workflow-name` and `workflow-artifacts` for each target. `deployment-registry` is optional — omit it to use the
+ default onchain registry, or set it to `"private"` to use the Chainlink-hosted private registry. You can optionally
+ override project-level settings (like `workflow-owner-address`) for specific workflows.
### 3.3. Secrets configuration (`secrets.yaml`)
diff --git a/src/content/cre/reference/project-configuration-ts.mdx b/src/content/cre/reference/project-configuration-ts.mdx
index af1bfe798cb..f01c83488eb 100644
--- a/src/content/cre/reference/project-configuration-ts.mdx
+++ b/src/content/cre/reference/project-configuration-ts.mdx
@@ -136,20 +136,12 @@ Variable values are resolved from environment variables at runtime. This works a
`workflow.yaml` captures details **unique to one workflow instance**, like its name and entry point file.
-
- Starting with CRE CLI v2.0.0, generated workflow targets include `deployment-registry: "private"` by default. Existing
- `workflow.yaml` files created before this field existed may fail with an error such as `"deployment-registry" is
- required in target "staging-settings"` during redeploy or workflow-management commands. Existing deployed workflows
- continue running. See [Deploying Workflows](/cre/guides/operations/deploying-workflows#migrate-an-existing-workflow)
- for the migration path.
-
-
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-por-workflow-staging"
- deployment-registry: "private" # Private, centralized, offchain registry management.
+ # deployment-registry: "private" # Optional (new in v1.14.0). Omit to use the default onchain registry.
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.staging.json"
@@ -159,7 +151,7 @@ production-settings:
user-workflow:
workflow-owner-address: "" # Optional: For multi-sig wallets
workflow-name: "my-por-workflow-production"
- deployment-registry: "onchain:ethereum-mainnet" # Public, onchain Workflow Registry on Ethereum Mainnet.
+ # deployment-registry: "onchain:ethereum-mainnet" # Explicit onchain registry (also the default when omitted).
workflow-artifacts:
workflow-path: "./main.ts" # Points to the TypeScript entry file
config-path: "./config.production.json"
@@ -168,19 +160,20 @@ production-settings:
#### Configuration fields
-| Field
| Required | Description |
-| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
-| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
-| `user-workflow.deployment-registry` | Yes | Selects which registry receives this target's deployment. Set to `"private"` for private, centralized, offchain registry management through your CRE login session. Set to `"onchain:ethereum-mainnet"` for the public onchain Workflow Registry contract on Ethereum Mainnet, which requires a [linked web3 key](/cre/organization/linking-keys) and a funded wallet for registry transaction gas. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available. |
-| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
-| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
-| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
+| Field
| Required | Description |
+| -------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `user-workflow.workflow-name` | Yes | The name of your workflow. This name is used to identify the workflow when deploying, activating, or managing it via CLI commands. Best practice: include environment suffix (e.g., `-staging`, `-production`). |
+| `user-workflow.workflow-owner-address` | No | Multi-sig wallet address (if applicable). Overrides the value from `project.yaml` for this specific workflow. See the `project.yaml` configuration table above for details. |
+| `user-workflow.deployment-registry` | No | New in v1.14.0. Selects which registry receives this target's deployment. When omitted, the CLI defaults to the public onchain Workflow Registry (same behavior as before v1.14.0). Set to `"private"` for Chainlink-hosted private registry management via your CRE login session (no linked key or gas required for registry operations). Set to `"onchain:ethereum-mainnet"` to explicitly target the public onchain Workflow Registry. Run [`cre registry list`](/cre/reference/cli/registry) to see registries available to your organization. |
+| `workflow-artifacts.workflow-path` | Yes | Path to your workflow entry point. For TypeScript: `"./main.ts"` (or your entry file name). For Go: `"."` (current directory). |
+| `workflow-artifacts.config-path` | Yes | Path to your workflow configuration JSON file (e.g., `"./config.staging.json"` or `"./config.production.json"`). |
+| `workflow-artifacts.secrets-path` | No | Path to your secrets YAML file (e.g., `"../secrets.yaml"`). Use `""` (empty string) if not using secrets. See [Secrets Management](/cre/guides/workflow/secrets) for details. |
To deploy or manage a workflow with the CLI, the workflow directory must have a `workflow.yaml` file that defines
- `workflow-name`, `deployment-registry`, and `workflow-artifacts` for each target. You can optionally override
- project-level settings (like `workflow-owner-address`) for specific workflows.
+ `workflow-name` and `workflow-artifacts` for each target. `deployment-registry` is optional — omit it to use the
+ default onchain registry, or set it to `"private"` to use the Chainlink-hosted private registry. You can optionally
+ override project-level settings (like `workflow-owner-address`) for specific workflows.
diff --git a/src/content/cre/service-quotas.mdx b/src/content/cre/service-quotas.mdx
index 8dbd7926261..7e8d8806a07 100644
--- a/src/content/cre/service-quotas.mdx
+++ b/src/content/cre/service-quotas.mdx
@@ -16,6 +16,23 @@ This page documents the service quotas for Chainlink Runtime Environment (CRE) w
The quotas documented on this page are subject to change. Check back regularly for updates.
+## Per-organization quotas
+
+These quotas apply at the organization level.
+
+### Registry quotas
+
+| Registry | Quota | Value |
+| --------------------------------------------------------------------------- | ------------------------------------ | ----- |
+| Private registry (`deployment-registry: "private"`) | Maximum workflows per organization | 3 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum linked keys per organization | 1 |
+| Public onchain registry (`deployment-registry: "onchain:ethereum-mainnet"`) | Maximum workflows per linked key | 3 |
+
+{/* prettier-ignore */}
+
+ Registry quotas are being actively tuned ahead of general availability. Values may increase. Run `cre registry list` to confirm your organization's access.
+
+
## Per-owner quotas
These quotas apply to each workflow owner (user account) within an organization.
From 3a6911bb9befdb2822d56f97f950f74ce675396a Mon Sep 17 00:00:00 2001
From: devin distefano
Date: Wed, 6 May 2026 17:58:16 -0500
Subject: [PATCH 4/4] reformat guides
---
src/config/sidebar.ts | 14 +-
.../activating-pausing-workflows.mdx | 2 +-
.../guides/operations/deleting-workflows.mdx | 2 +-
.../deploying-to-onchain-registry.mdx | 265 ++++++++
.../deploying-to-private-registry.mdx | 44 +-
.../guides/operations/deploying-workflows.mdx | 329 +--------
.../updating-deployed-workflows.mdx | 2 +-
src/content/cre/key-terms.mdx | 2 +-
src/content/cre/llms-full-go.txt | 640 +++++++++---------
src/content/cre/llms-full-ts.txt | 640 +++++++++---------
src/content/cre/reference/cli/registry.mdx | 2 +-
11 files changed, 935 insertions(+), 1007 deletions(-)
create mode 100644 src/content/cre/guides/operations/deploying-to-onchain-registry.mdx
diff --git a/src/config/sidebar.ts b/src/config/sidebar.ts
index db5c3be77a6..57d961200e5 100644
--- a/src/config/sidebar.ts
+++ b/src/config/sidebar.ts
@@ -449,10 +449,16 @@ export const SIDEBAR: Partial> = {
{
title: "Deploying Workflows",
url: "cre/guides/operations/deploying-workflows",
- },
- {
- title: "Deploying to the Private Registry",
- url: "cre/guides/operations/deploying-to-private-registry",
+ children: [
+ {
+ title: "Deploying to the Private Registry",
+ url: "cre/guides/operations/deploying-to-private-registry",
+ },
+ {
+ title: "Deploying to the Onchain Registry",
+ url: "cre/guides/operations/deploying-to-onchain-registry",
+ },
+ ],
},
{
title: "Activating & Pausing Workflows",
diff --git a/src/content/cre/guides/operations/activating-pausing-workflows.mdx b/src/content/cre/guides/operations/activating-pausing-workflows.mdx
index 84ce45748de..1a34b472c13 100644
--- a/src/content/cre/guides/operations/activating-pausing-workflows.mdx
+++ b/src/content/cre/guides/operations/activating-pausing-workflows.mdx
@@ -25,7 +25,7 @@ Before activating or pausing workflows, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
diff --git a/src/content/cre/guides/operations/deleting-workflows.mdx b/src/content/cre/guides/operations/deleting-workflows.mdx
index 52de991095b..0832c40a011 100644
--- a/src/content/cre/guides/operations/deleting-workflows.mdx
+++ b/src/content/cre/guides/operations/deleting-workflows.mdx
@@ -20,7 +20,7 @@ Before deleting a workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
diff --git a/src/content/cre/guides/operations/deploying-to-onchain-registry.mdx b/src/content/cre/guides/operations/deploying-to-onchain-registry.mdx
new file mode 100644
index 00000000000..4a5f89075e4
--- /dev/null
+++ b/src/content/cre/guides/operations/deploying-to-onchain-registry.mdx
@@ -0,0 +1,265 @@
+---
+section: cre
+date: Last Modified
+title: "Deploying to the Onchain Registry"
+metadata:
+ description: "Deploy CRE workflows to the public Workflow Registry contract on Ethereum Mainnet using a linked wallet key."
+ datePublished: "2026-05-06"
+ lastModified: "2026-05-06"
+---
+
+import { Aside } from "@components"
+
+{/* prettier-ignore */}
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **public onchain registry** is the Workflow Registry contract on Ethereum Mainnet. Deploying to it records your workflow onchain — your linked wallet address becomes the workflow owner and every lifecycle operation (deploy, activate, pause, update, delete) submits a transaction to that contract.
+
+For a lower-friction alternative that requires no wallet or gas for registry management, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
+
+## Prerequisites
+
+Before deploying to the onchain registry, ensure you have:
+
+- **Early Access approval**: Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
+- **[Linked your key](/cre/organization/linking-keys)**: Linked your EOA or multi-sig wallet to your CRE organization by running `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys) for instructions.
+- **A funded wallet**: The account you are deploying from must hold ETH on Ethereum Mainnet to pay gas for the registration transaction.
+- **`CRE_ETH_PRIVATE_KEY` in your `.env`**: Your wallet's private key, used by the CLI to sign registry transactions.
+- **An Ethereum Mainnet RPC URL in `project.yaml`**: Required for the CLI to submit transactions. Example: `https://ethereum-rpc.publicnode.com`.
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+## The deployment process
+
+The `cre workflow deploy` command handles the entire end-to-end process:
+
+1. **Compiles** your workflow to a WASM binary.
+1. **Uploads** the compiled binary and any associated configuration files to the CRE Storage Service.
+1. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on Ethereum Mainnet. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet`. The transaction contains the workflow's name, owner, and artifact URLs.
+
+{/* prettier-ignore */}
+
+Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
+
+
+### Step 1: Ensure your configuration is correct
+
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment.
+
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Selecting `onchain:ethereum-mainnet` writes `deployment-registry: "onchain:ethereum-mainnet"` into the generated `workflow.yaml` automatically. If you chose the onchain registry during init, your config is already set.
+
+If you initialized without selecting a registry, or are adding a new target, add `deployment-registry: "onchain:ethereum-mainnet"` explicitly. The field is optional — when omitted the CLI defaults to onchain — but setting it is recommended to make the intent clear.
+
+```yaml
+# workflow.yaml
+production-settings:
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts" # Go: "."
+ config-path: "./config.production.json"
+ secrets-path: ""
+```
+
+If you are deploying from a **multi-sig wallet**, specify your multi-sig address in the `workflow-owner-address` field. If deploying from a standard EOA, leave this field out — the owner is automatically derived from `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+
+For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+
+### Step 2: Run the deploy command
+
+**From your project root directory**, run the `deploy` command with the path to your workflow folder:
+
+```bash
+cre workflow deploy [flags]
+```
+
+Example command targeting the `production-settings` environment:
+
+```bash
+cre workflow deploy my-workflow --target production-settings
+```
+
+**Available flags:**
+
+| Flag | Description |
+| ---------------- | --------------------------------------------------------------------------------------- |
+| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
+| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
+| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
+| `--config` | Override the config file path from `workflow.yaml` |
+| `--no-config` | Deploy without a config file |
+| `--unsigned` | Return the raw transaction instead of broadcasting it (for multi-sig wallets) |
+| `--yes` | Skip confirmation prompts and proceed with the operation |
+| `--project-root` | Path to the project root directory |
+| `--env` | Path to your `.env` file (default: `".env"`) |
+| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
+
+### Step 3: Monitor the output
+
+The CLI provides detailed logs of the compilation, upload, and the onchain registration transaction:
+
+```bash
+> cre workflow deploy my-workflow --target production-settings
+
+Deploying Workflow : my-workflow
+Target : production-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Verifying ownership...
+Workflow owner link status: owner=, linked=true
+Key ownership verified
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Preparing deployment transaction...
+Preparing transaction for workflowID:
+Transaction details:
+ Chain Name: ethereum-mainnet
+ To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Function: UpsertWorkflow
+ Inputs:
+ [0]: my-workflow
+ [1]: my-workflow
+ [2]:
+ [3]: 0
+ [4]: zone-a
+ [5]: https://storage.cre.example.com/artifacts//binary.wasm
+ [6]: https://storage.cre.example.com/artifacts//config
+ [7]: 0x
+ [8]: false
+ Data: b377bfc50000000000000000000000000000000000...
+Estimated Cost:
+ Gas Price: 0.00100001 gwei
+ Total Cost: 0.00000079 ETH
+? Do you want to execute this transaction?:
+ ▸ Yes
+ No
+
+Transaction confirmed
+View on explorer: https://etherscan.io/tx/0x58599f6...d916b
+
+✓ Workflow deployed successfully
+
+Details:
+ Registry: onchain:ethereum-mainnet
+ Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Transaction hash: 0x58599f6...d916b
+ Workflow Name: my-workflow
+ Workflow ID:
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+```
+
+## Verifying your deployment
+
+After a successful deployment, verify your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization and its current status.
+
+1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see the workflow's status, ID, and execution history.
+
+1. **Block Explorer**: The CLI output includes the transaction hash. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+
+## CI/CD pipeline integration
+
+The `cre workflow build` and `cre workflow deploy` commands can run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
+
+The separation gives you two key benefits:
+
+- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
+- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
+
+### Example: GitHub Actions
+
+The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
+
+```yaml
+# .github/workflows/deploy.yml
+name: Deploy Workflow
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Build workflow
+ run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+
+ - name: Display content hashes
+ run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+
+ - name: Upload artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow/binary.wasm
+
+ deploy:
+ needs: build
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Download artifact
+ uses: actions/download-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+ INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
+```
+
+{/* prettier-ignore */}
+
+ Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+{/* prettier-ignore */}
+
+ Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
+
+
+## Using multi-sig wallets
+
+The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+
+For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows) — Track your workflow's execution and performance
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Deploy new versions of your workflow
+- [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets) — Multi-sig wallet setup and transaction signing
diff --git a/src/content/cre/guides/operations/deploying-to-private-registry.mdx b/src/content/cre/guides/operations/deploying-to-private-registry.mdx
index 27a288cac3a..0d4693d7853 100644
--- a/src/content/cre/guides/operations/deploying-to-private-registry.mdx
+++ b/src/content/cre/guides/operations/deploying-to-private-registry.mdx
@@ -15,7 +15,9 @@ import { Aside } from "@components"
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
-The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+The **private registry** is a Chainlink-hosted, offchain workflow registry. All lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+This is the default registry for new projects initialized with `cre init`. For a comparison of both registry options, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
{/* prettier-ignore */}
@@ -29,7 +31,7 @@ Before deploying to the private registry, ensure you have:
- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
-- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output. If no private registry appears, contact your Chainlink account team. Organizations are limited to **3 private registry workflows** by default — see [Service Quotas](/cre/service-quotas#registry-quotas).
- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
Unlike the public onchain registry, you do **not** need:
@@ -39,34 +41,11 @@ Unlike the public onchain registry, you do **not** need:
- An Ethereum Mainnet RPC URL in `project.yaml`
- ETH for gas
-## Step 1: Confirm the private registry is available
-
-Run `cre registry list` to see the registries available to your organization:
-
-```bash
-cre registry list
-```
-
-**Example output:**
-
-```
-Registries available to your organization
-
-ethereum-mainnet (0x4Ac5...E7e5)
- ID: onchain:ethereum-mainnet
- Type: on-chain
- Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+## Step 1: Set `deployment-registry` in your `workflow.yaml`
-Private (Chainlink-hosted)
- ID: private
- Type: off-chain
-```
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Private (off-chain) registries appear first with the cursor pre-selected on them. Selecting `private` writes `deployment-registry: "private"` into both targets of the generated `workflow.yaml` automatically — you can skip the manual step below.
-You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
-
-## Step 2: Add `deployment-registry` to your `workflow.yaml`
-
-Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+If you skipped the step, used `--non-interactive` without `--deployment-registry`, or are adding a new target to an existing project, add `deployment-registry: "private"` under the `user-workflow` section manually:
**TypeScript:**
@@ -96,14 +75,12 @@ staging-settings:
secrets-path: ""
```
-The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
-
{/* prettier-ignore */}
`deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
-## Step 3: Deploy the workflow
+## Step 2: Deploy the workflow
From your project root, run the deploy command with your target:
@@ -144,7 +121,7 @@ Details:
The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
-## Step 4: Verify the deployment
+## Step 3: Verify the deployment
Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
@@ -284,7 +261,8 @@ jobs:
## Next steps
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry) — Deploy with a linked wallet key and onchain record
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
diff --git a/src/content/cre/guides/operations/deploying-workflows.mdx b/src/content/cre/guides/operations/deploying-workflows.mdx
index f865df260ad..97ae6b073be 100644
--- a/src/content/cre/guides/operations/deploying-workflows.mdx
+++ b/src/content/cre/guides/operations/deploying-workflows.mdx
@@ -3,9 +3,9 @@ section: cre
date: Last Modified
title: "Deploying Workflows"
metadata:
- description: "Deploy your workflow: learn how to register your workflow and start running it across a Decentralized Oracle Network (DON)."
+ description: "Deploy your workflow: understand the two CRE registry models and choose the right deployment path for your project."
datePublished: "2025-11-04"
- lastModified: "2026-04-30"
+ lastModified: "2026-05-06"
---
import { Aside } from "@components"
@@ -18,31 +18,21 @@ import { Aside } from "@components"
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+When you deploy a workflow, you register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models, selected per deployment target via `deployment-registry` in `workflow.yaml`:
-- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+- **Private workflow**: Lifecycle operations (deploy, activate, pause, update, delete) are authorized by your CRE login session against the Chainlink-hosted private registry. No linked wallet, no gas, no Ethereum Mainnet RPC required for registry management. This is the default for new projects initialized with `cre init`.
+- **Public/onchain workflow**: Lifecycle operations submit transactions to the Workflow Registry contract on Ethereum Mainnet, authorized by your linked web3 wallet key.
-This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+This is a **control-plane** choice — it governs how workflow management is authorized, not how workflow execution behaves. See [Private workflow](/cre/key-terms#private-workflow) and [Confidential execution](/cre/key-terms#confidential-workflow-or-confidential-execution) for the distinction.
{/* prettier-ignore */}
- A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+ A private workflow uses a private, offchain registry for workflow management. It does not make workflow execution confidential. A workflow can use the private registry and still run on a public DON, and it can use confidential execution regardless of which registry it's deployed to.
-## Prerequisites
+## Comparing registries
-Before you can deploy a workflow, you must have:
-
-- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
-- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
-- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
-- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
-
-## Choosing your registry
-
-Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+Run `cre registry list` to see which registries are available to your organization:
```bash
cre registry list
@@ -63,289 +53,34 @@ Private (Chainlink-hosted)
Type: off-chain
```
-Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-
-### Private vs. public workflow management
-
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-
-| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
-| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
-| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
-| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-
-Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-
-Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
-
-### Managing with a web3 key
-
-Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
-
-1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
-2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
-3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
-4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-
-### Managing with auth only
-
-Use this flow when `deployment-registry: "private"`:
-
-1. Log in once with `cre login`.
-2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
-3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-
-For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## The deployment process
-
-The `cre workflow deploy` command handles the entire end-to-end process for you:
-
-1. **Compiles** your workflow to a WASM binary.
-1. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-1. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
-
-{/* prettier-ignore */}
-
-Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
-
-
-### Step 1: Ensure your configuration is correct
-
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
-
-If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
-
-For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
-
-### Step 2: Run the deploy command
-
-**From your project root directory**, run the `deploy` command with the path to your workflow folder.
-
-```bash
-cre workflow deploy [flags]
-```
-
-Example command to target the `production-settings` environment:
-
-```bash
-cre workflow deploy my-workflow --target production-settings
-```
-
-**Available flags:**
-
-| Flag | Description |
-| ---------------- | --------------------------------------------------------------------------------------- |
-| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
-| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
-| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
-| `--config` | Override the config file path from `workflow.yaml` |
-| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of broadcasting it to the network |
-| `--yes` | Skip confirmation prompts and proceed with the operation |
-| `--project-root` | Path to the project root directory |
-| `--env` | Path to your `.env` file (default: `".env"`) |
-| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
-
-### Step 3: Monitor the output
-
-The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
-
-**Example onchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target production-settings
-
-Deploying Workflow : my-workflow
-Target : production-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Verifying ownership...
-Workflow owner link status: owner=, linked=true
-Key ownership verified
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Preparing deployment transaction...
-Preparing transaction for workflowID:
-Transaction details:
- Chain Name: ethereum-mainnet
- To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Function: UpsertWorkflow
- Inputs:
- [0]: my-workflow
- [1]: my-workflow
- [2]:
- [3]: 0
- [4]: zone-a
- [5]: https://storage.cre.example.com/artifacts//binary.wasm
- [6]: https://storage.cre.example.com/artifacts//config
- [7]: 0x
- [8]: false
- Data: b377bfc50000000000000000000000000000000000...
-Estimated Cost:
- Gas Price: 0.00100001 gwei
- Total Cost: 0.00000079 ETH
-? Do you want to execute this transaction?:
- ▸ Yes
- No
-
-Transaction confirmed
-View on explorer: https://etherscan.io/tx/0x58599f6...d916b
-
-✓ Workflow deployed successfully
-
-Details:
- Registry: onchain:ethereum-mainnet
- Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Transaction hash: 0x58599f6...d916b
- Workflow Name: my-workflow
- Workflow ID:
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
-```
-
-**Example private/offchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target staging-settings
-
-Deploying Workflow : my-workflow
-Target : staging-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Registering workflow in private registry (workflowID: )...
-✓ Workflow registered in private registry
-
-Details:
- Registry: private
- Workflow Name: my-workflow
- Workflow ID:
- Status: Active
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
- Owner:
-```
-
-## Verifying your deployment
-
-After a successful deployment, you can verify that your workflow was registered correctly:
-
-1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-
-1. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-
-1. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+Use the `ID` value as the `deployment-registry` in your `workflow.yaml`.
-## CI/CD pipeline integration
+| | Private workflow | Public / onchain workflow |
+| ------------------------------- | ------------------------------- | ---------------------------------- |
+| `deployment-registry` value | `"private"` | `"onchain:ethereum-mainnet"` |
+| Authorization | CRE login session | Linked web3 wallet key |
+| Ethereum Mainnet RPC required | No | Yes |
+| ETH for gas (registry ops) | No | Yes |
+| `cre account link-key` required | No | Yes |
+| Creates onchain record | No | Yes, in Workflow Registry contract |
+| Default for `cre init` projects | Yes | No |
+| Ideal for | Testing, team-managed workflows | Production, multisig ownership |
-The `cre workflow build` and `cre workflow deploy` commands can be run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
+Secrets follow the same split. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the per-registry secrets flows.
-The separation gives you two key benefits:
-
-- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
-- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
-
-### Example: GitHub Actions
-
-The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
-
-```yaml
-# .github/workflows/deploy.yml
-name: Deploy Workflow
-
-on:
- push:
- branches: [main]
-
-jobs:
- build:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Build workflow
- run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
-
- - name: Display content hashes
- run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
-
- - name: Upload artifact
- uses: actions/upload-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow/binary.wasm
-
- deploy:
- needs: build
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Download artifact
- uses: actions/download-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow
-
- - name: Deploy workflow
- run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
- INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
-```
-
-{/* prettier-ignore */}
-
- Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
-
-
-{/* prettier-ignore */}
-
- Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
-
+## Limits
-## Using multi-sig wallets
+Both registry types have per-organization defaults. See [Service Quotas](/cre/service-quotas#registry-quotas) for current values.
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+| | Default limit |
+| ------------------------------------------- | ------------- |
+| Private registry workflows per organization | 3 |
+| Linked keys per organization (onchain) | 1 |
+| Workflows per linked key (onchain) | 3 |
-For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+## Deployment guides
-## Next steps
+For step-by-step instructions, choose the guide for your target registry:
-- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
-- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
+- **[Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry)** — Uses your CRE login session. No wallet, no gas, no Ethereum Mainnet RPC required for registry operations.
+- **[Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry)** — Requires a linked wallet key and ETH on Ethereum Mainnet for registry transaction gas.
diff --git a/src/content/cre/guides/operations/updating-deployed-workflows.mdx b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
index 23a5354dd4f..92f2041ab10 100644
--- a/src/content/cre/guides/operations/updating-deployed-workflows.mdx
+++ b/src/content/cre/guides/operations/updating-deployed-workflows.mdx
@@ -25,7 +25,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
diff --git a/src/content/cre/key-terms.mdx b/src/content/cre/key-terms.mdx
index 78a4bec8eff..722c51ddc98 100644
--- a/src/content/cre/key-terms.mdx
+++ b/src/content/cre/key-terms.mdx
@@ -29,7 +29,7 @@ How you manage a workflow's lifecycle (deploy, activate, pause, update, delete)
- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
-See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
### Public workflow
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 69a583928aa..aca90b0013a 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -170,7 +170,7 @@ How you manage a workflow's lifecycle (deploy, activate, pause, update, delete)
- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
-See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
### Public workflow
@@ -5819,7 +5819,7 @@ If your workflow requires higher limits than the defaults, you can request a lim
# Deploying Workflows
Source: https://docs.chain.link/cre/guides/operations/deploying-workflows
-Last Updated: 2026-04-30
+Last Updated: 2026-05-06
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
@@ -5827,31 +5827,21 @@ Last Updated: 2026-04-30
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+When you deploy a workflow, you register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models, selected per deployment target via `deployment-registry` in `workflow.yaml`:
-- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+- **Private workflow**: Lifecycle operations (deploy, activate, pause, update, delete) are authorized by your CRE login session against the Chainlink-hosted private registry. No linked wallet, no gas, no Ethereum Mainnet RPC required for registry management. This is the default for new projects initialized with `cre init`.
+- **Public/onchain workflow**: Lifecycle operations submit transactions to the Workflow Registry contract on Ethereum Mainnet, authorized by your linked web3 wallet key.
-This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+This is a **control-plane** choice — it governs how workflow management is authorized, not how workflow execution behaves. See [Private workflow](/cre/key-terms#private-workflow) and [Confidential execution](/cre/key-terms#confidential-workflow-or-confidential-execution) for the distinction.
- A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+ A private workflow uses a private, offchain registry for workflow management. It does not make workflow execution confidential. A workflow can use the private registry and still run on a public DON, and it can use confidential execution regardless of which registry it's deployed to.
-## Prerequisites
-
-Before you can deploy a workflow, you must have:
+## Comparing registries
-- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
-- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
-- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
-- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
-
-## Choosing your registry
-
-Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+Run `cre registry list` to see which registries are available to your organization:
```bash
cre registry list
@@ -5872,292 +5862,37 @@ Private (Chainlink-hosted)
Type: off-chain
```
-Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-
-### Private vs. public workflow management
-
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-
-| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
-| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
-| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
-| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-
-Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-
-Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
-
-### Managing with a web3 key
-
-Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
-
-1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
-2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
-3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
-4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-
-### Managing with auth only
-
-Use this flow when `deployment-registry: "private"`:
-
-1. Log in once with `cre login`.
-2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
-3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-
-For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## The deployment process
-
-The `cre workflow deploy` command handles the entire end-to-end process for you:
-
-1. **Compiles** your workflow to a WASM binary.
-2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
-
-
-
- Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
-
-
-### Step 1: Ensure your configuration is correct
-
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
+Use the `ID` value as the `deployment-registry` in your `workflow.yaml`.
-If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
+| | Private workflow | Public / onchain workflow |
+| ------------------------------- | ------------------------------- | ---------------------------------- |
+| `deployment-registry` value | `"private"` | `"onchain:ethereum-mainnet"` |
+| Authorization | CRE login session | Linked web3 wallet key |
+| Ethereum Mainnet RPC required | No | Yes |
+| ETH for gas (registry ops) | No | Yes |
+| `cre account link-key` required | No | Yes |
+| Creates onchain record | No | Yes, in Workflow Registry contract |
+| Default for `cre init` projects | Yes | No |
+| Ideal for | Testing, team-managed workflows | Production, multisig ownership |
-For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+Secrets follow the same split. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the per-registry secrets flows.
-### Step 2: Run the deploy command
+## Limits
-**From your project root directory**, run the `deploy` command with the path to your workflow folder.
+Both registry types have per-organization defaults. See [Service Quotas](/cre/service-quotas#registry-quotas) for current values.
-```bash
-cre workflow deploy [flags]
-```
+| | Default limit |
+| ------------------------------------------- | ------------- |
+| Private registry workflows per organization | 3 |
+| Linked keys per organization (onchain) | 1 |
+| Workflows per linked key (onchain) | 3 |
-Example command to target the `production-settings` environment:
+## Deployment guides
-```bash
-cre workflow deploy my-workflow --target production-settings
-```
+For step-by-step instructions, choose the guide for your target registry:
-**Available flags:**
-
-| Flag | Description |
-| ---------------- | --------------------------------------------------------------------------------------- |
-| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
-| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
-| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
-| `--config` | Override the config file path from `workflow.yaml` |
-| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of broadcasting it to the network |
-| `--yes` | Skip confirmation prompts and proceed with the operation |
-| `--project-root` | Path to the project root directory |
-| `--env` | Path to your `.env` file (default: `".env"`) |
-| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
-
-### Step 3: Monitor the output
-
-The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
-
-**Example onchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target production-settings
-
-Deploying Workflow : my-workflow
-Target : production-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Verifying ownership...
-Workflow owner link status: owner=, linked=true
-Key ownership verified
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Preparing deployment transaction...
-Preparing transaction for workflowID:
-Transaction details:
- Chain Name: ethereum-mainnet
- To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Function: UpsertWorkflow
- Inputs:
- [0]: my-workflow
- [1]: my-workflow
- [2]:
- [3]: 0
- [4]: zone-a
- [5]: https://storage.cre.example.com/artifacts//binary.wasm
- [6]: https://storage.cre.example.com/artifacts//config
- [7]: 0x
- [8]: false
- Data: b377bfc50000000000000000000000000000000000...
-Estimated Cost:
- Gas Price: 0.00100001 gwei
- Total Cost: 0.00000079 ETH
-? Do you want to execute this transaction?:
- ▸ Yes
- No
-
-Transaction confirmed
-View on explorer: https://etherscan.io/tx/0x58599f6...d916b
-
-✓ Workflow deployed successfully
-
-Details:
- Registry: onchain:ethereum-mainnet
- Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Transaction hash: 0x58599f6...d916b
- Workflow Name: my-workflow
- Workflow ID:
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
-```
-
-**Example private/offchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target staging-settings
-
-Deploying Workflow : my-workflow
-Target : staging-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Registering workflow in private registry (workflowID: )...
-✓ Workflow registered in private registry
-
-Details:
- Registry: private
- Workflow Name: my-workflow
- Workflow ID:
- Status: Active
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
- Owner:
-```
-
-## Verifying your deployment
-
-After a successful deployment, you can verify that your workflow was registered correctly:
-
-1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-
-2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-
-3. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
-
-## CI/CD pipeline integration
-
-The `cre workflow build` and `cre workflow deploy` commands can be run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
-
-The separation gives you two key benefits:
-
-- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
-- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
-
-### Example: GitHub Actions
-
-The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
-
-```yaml
-# .github/workflows/deploy.yml
-name: Deploy Workflow
-
-on:
- push:
- branches: [main]
-
-jobs:
- build:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Build workflow
- run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
-
- - name: Display content hashes
- run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
-
- - name: Upload artifact
- uses: actions/upload-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow/binary.wasm
-
- deploy:
- needs: build
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Download artifact
- uses: actions/download-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow
-
- - name: Deploy workflow
- run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
- INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
-```
-
-
-
- Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
-
-
-
-
- Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
-
-
-## Using multi-sig wallets
-
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
-
-For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-
-## Next steps
-
-- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
-- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
+- **[Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry)** — Uses your CRE login session. No wallet, no gas, no Ethereum Mainnet RPC required for registry operations.
+- **[Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry)** — Requires a linked wallet key and ETH on Ethereum Mainnet for registry transaction gas.
---
@@ -6169,7 +5904,9 @@ Last Updated: 2026-05-06
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
-The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+The **private registry** is a Chainlink-hosted, offchain workflow registry. All lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+This is the default registry for new projects initialized with `cre init`. For a comparison of both registry options, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
@@ -6183,7 +5920,7 @@ Before deploying to the private registry, ensure you have:
- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
-- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output. If no private registry appears, contact your Chainlink account team. Organizations are limited to **3 private registry workflows** by default — see [Service Quotas](/cre/service-quotas#registry-quotas).
- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
Unlike the public onchain registry, you do **not** need:
@@ -6193,34 +5930,11 @@ Unlike the public onchain registry, you do **not** need:
- An Ethereum Mainnet RPC URL in `project.yaml`
- ETH for gas
-## Step 1: Confirm the private registry is available
+## Step 1: Set `deployment-registry` in your `workflow.yaml`
-Run `cre registry list` to see the registries available to your organization:
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Private (off-chain) registries appear first with the cursor pre-selected on them. Selecting `private` writes `deployment-registry: "private"` into both targets of the generated `workflow.yaml` automatically — you can skip the manual step below.
-```bash
-cre registry list
-```
-
-**Example output:**
-
-```
-Registries available to your organization
-
-ethereum-mainnet (0x4Ac5...E7e5)
- ID: onchain:ethereum-mainnet
- Type: on-chain
- Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
-
-Private (Chainlink-hosted)
- ID: private
- Type: off-chain
-```
-
-You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
-
-## Step 2: Add `deployment-registry` to your `workflow.yaml`
-
-Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+If you skipped the step, used `--non-interactive` without `--deployment-registry`, or are adding a new target to an existing project, add `deployment-registry: "private"` under the `user-workflow` section manually:
**TypeScript:**
@@ -6250,14 +5964,12 @@ staging-settings:
secrets-path: ""
```
-The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
-
`deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
-## Step 3: Deploy the workflow
+## Step 2: Deploy the workflow
From your project root, run the deploy command with your target:
@@ -6298,7 +6010,7 @@ Details:
The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
-## Step 4: Verify the deployment
+## Step 3: Verify the deployment
Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
@@ -6438,13 +6150,273 @@ jobs:
## Next steps
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry) — Deploy with a linked wallet key and onchain record
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
---
+# Deploying to the Onchain Registry
+Source: https://docs.chain.link/cre/guides/operations/deploying-to-onchain-registry
+Last Updated: 2026-05-06
+
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **public onchain registry** is the Workflow Registry contract on Ethereum Mainnet. Deploying to it records your workflow onchain — your linked wallet address becomes the workflow owner and every lifecycle operation (deploy, activate, pause, update, delete) submits a transaction to that contract.
+
+For a lower-friction alternative that requires no wallet or gas for registry management, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
+
+## Prerequisites
+
+Before deploying to the onchain registry, ensure you have:
+
+- **Early Access approval**: Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
+- **[Linked your key](/cre/organization/linking-keys)**: Linked your EOA or multi-sig wallet to your CRE organization by running `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys) for instructions.
+- **A funded wallet**: The account you are deploying from must hold ETH on Ethereum Mainnet to pay gas for the registration transaction.
+- **`CRE_ETH_PRIVATE_KEY` in your `.env`**: Your wallet's private key, used by the CLI to sign registry transactions.
+- **An Ethereum Mainnet RPC URL in `project.yaml`**: Required for the CLI to submit transactions. Example: `https://ethereum-rpc.publicnode.com`.
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+## The deployment process
+
+The `cre workflow deploy` command handles the entire end-to-end process:
+
+1. **Compiles** your workflow to a WASM binary.
+2. **Uploads** the compiled binary and any associated configuration files to the CRE Storage Service.
+3. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on Ethereum Mainnet. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet`. The transaction contains the workflow's name, owner, and artifact URLs.
+
+
+
+ Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
+
+
+### Step 1: Ensure your configuration is correct
+
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment.
+
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Selecting `onchain:ethereum-mainnet` writes `deployment-registry: "onchain:ethereum-mainnet"` into the generated `workflow.yaml` automatically. If you chose the onchain registry during init, your config is already set.
+
+If you initialized without selecting a registry, or are adding a new target, add `deployment-registry: "onchain:ethereum-mainnet"` explicitly. The field is optional — when omitted the CLI defaults to onchain — but setting it is recommended to make the intent clear.
+
+```yaml
+# workflow.yaml
+production-settings:
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts" # Go: "."
+ config-path: "./config.production.json"
+ secrets-path: ""
+```
+
+If you are deploying from a **multi-sig wallet**, specify your multi-sig address in the `workflow-owner-address` field. If deploying from a standard EOA, leave this field out — the owner is automatically derived from `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+
+For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+
+### Step 2: Run the deploy command
+
+**From your project root directory**, run the `deploy` command with the path to your workflow folder:
+
+```bash
+cre workflow deploy [flags]
+```
+
+Example command targeting the `production-settings` environment:
+
+```bash
+cre workflow deploy my-workflow --target production-settings
+```
+
+**Available flags:**
+
+| Flag | Description |
+| ---------------- | --------------------------------------------------------------------------------------- |
+| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
+| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
+| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
+| `--config` | Override the config file path from `workflow.yaml` |
+| `--no-config` | Deploy without a config file |
+| `--unsigned` | Return the raw transaction instead of broadcasting it (for multi-sig wallets) |
+| `--yes` | Skip confirmation prompts and proceed with the operation |
+| `--project-root` | Path to the project root directory |
+| `--env` | Path to your `.env` file (default: `".env"`) |
+| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
+
+### Step 3: Monitor the output
+
+The CLI provides detailed logs of the compilation, upload, and the onchain registration transaction:
+
+```bash
+> cre workflow deploy my-workflow --target production-settings
+
+Deploying Workflow : my-workflow
+Target : production-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Verifying ownership...
+Workflow owner link status: owner=, linked=true
+Key ownership verified
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Preparing deployment transaction...
+Preparing transaction for workflowID:
+Transaction details:
+ Chain Name: ethereum-mainnet
+ To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Function: UpsertWorkflow
+ Inputs:
+ [0]: my-workflow
+ [1]: my-workflow
+ [2]:
+ [3]: 0
+ [4]: zone-a
+ [5]: https://storage.cre.example.com/artifacts//binary.wasm
+ [6]: https://storage.cre.example.com/artifacts//config
+ [7]: 0x
+ [8]: false
+ Data: b377bfc50000000000000000000000000000000000...
+Estimated Cost:
+ Gas Price: 0.00100001 gwei
+ Total Cost: 0.00000079 ETH
+? Do you want to execute this transaction?:
+ ▸ Yes
+ No
+
+Transaction confirmed
+View on explorer: https://etherscan.io/tx/0x58599f6...d916b
+
+✓ Workflow deployed successfully
+
+Details:
+ Registry: onchain:ethereum-mainnet
+ Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Transaction hash: 0x58599f6...d916b
+ Workflow Name: my-workflow
+ Workflow ID:
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+```
+
+## Verifying your deployment
+
+After a successful deployment, verify your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization and its current status.
+
+2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see the workflow's status, ID, and execution history.
+
+3. **Block Explorer**: The CLI output includes the transaction hash. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+
+## CI/CD pipeline integration
+
+The `cre workflow build` and `cre workflow deploy` commands can run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
+
+The separation gives you two key benefits:
+
+- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
+- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
+
+### Example: GitHub Actions
+
+The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
+
+```yaml
+# .github/workflows/deploy.yml
+name: Deploy Workflow
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Build workflow
+ run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+
+ - name: Display content hashes
+ run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+
+ - name: Upload artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow/binary.wasm
+
+ deploy:
+ needs: build
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Download artifact
+ uses: actions/download-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+ INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
+```
+
+
+
+ Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+
+
+ Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
+
+
+## Using multi-sig wallets
+
+The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+
+For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows) — Track your workflow's execution and performance
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Deploy new versions of your workflow
+- [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets) — Multi-sig wallet setup and transaction signing
+
+---
+
# Activating & Pausing Workflows
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
@@ -6464,7 +6436,7 @@ Before activating or pausing workflows, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -6635,7 +6607,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -6699,7 +6671,7 @@ Before deleting a workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -9833,7 +9805,7 @@ Private (Chainlink-hosted)
Type: off-chain
```
-The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#comparing-registries).
If no registries are found for your environment, the command prints a warning and exits cleanly.
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index e6231af92c4..938ffc84168 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -170,7 +170,7 @@ How you manage a workflow's lifecycle (deploy, activate, pause, update, delete)
- **Web3 key** — operations sign onchain transactions to the public Workflow Registry contract on Ethereum Mainnet. Requires a [linked wallet key](/cre/organization/linking-keys) and gas for registry transactions. Used when `deployment-registry: "onchain:ethereum-mainnet"`.
- **Auth only** — operations are authorized by your CRE login session against the Chainlink-hosted private registry. No wallet, no Ethereum Mainnet RPC, and no gas are required for registry management. Used when `deployment-registry: "private"`.
-See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
+See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries) for the deploy-time view and [Auth modes](/cre/guides/workflow/secrets/using-secrets-deployed#auth-modes-web3-key-vs-browser-auth) for the secrets equivalent.
### Public workflow
@@ -4918,7 +4918,7 @@ If your workflow requires higher limits than the defaults, you can request a lim
# Deploying Workflows
Source: https://docs.chain.link/cre/guides/operations/deploying-workflows
-Last Updated: 2026-04-30
+Last Updated: 2026-05-06
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
@@ -4926,31 +4926,21 @@ Last Updated: 2026-04-30
**While you wait:** Continue building and simulating workflows using [`cre workflow simulate`](/cre/guides/operations/simulating-workflows).
-When you deploy a workflow, you take your locally tested code and register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models today:
+When you deploy a workflow, you register it with a **workflow registry** so it can activate and respond to triggers across a [Decentralized Oracle Network (DON)](/cre/key-terms#decentralized-oracle-network-don). CRE supports two registry models, selected per deployment target via `deployment-registry` in `workflow.yaml`:
-- **Public workflow**: Workflow management goes through the onchain Workflow Registry contract on Ethereum Mainnet. Use `deployment-registry: "onchain:ethereum-mainnet"`.
-- **Private workflow**: Workflow management goes through the Chainlink-hosted private registry. Use `deployment-registry: "private"`.
+- **Private workflow**: Lifecycle operations (deploy, activate, pause, update, delete) are authorized by your CRE login session against the Chainlink-hosted private registry. No linked wallet, no gas, no Ethereum Mainnet RPC required for registry management. This is the default for new projects initialized with `cre init`.
+- **Public/onchain workflow**: Lifecycle operations submit transactions to the Workflow Registry contract on Ethereum Mainnet, authorized by your linked web3 wallet key.
-This is a control-plane choice for workflow management: deploy, update, activate, pause, delete, and related ownership. It is not an execution-privacy setting.
+This is a **control-plane** choice — it governs how workflow management is authorized, not how workflow execution behaves. See [Private workflow](/cre/key-terms#private-workflow) and [Confidential execution](/cre/key-terms#confidential-workflow-or-confidential-execution) for the distinction.
- A private workflow uses a private, centralized, offchain registry for workflow management. It does not make workflow execution confidential. Confidential execution is a separate execution-plane feature. A workflow can use confidential execution or a confidential capability while still using the public onchain registry, and a workflow can use the private registry without being confidential.
+ A private workflow uses a private, offchain registry for workflow management. It does not make workflow execution confidential. A workflow can use the private registry and still run on a public DON, and it can use confidential execution regardless of which registry it's deployed to.
-## Prerequisites
-
-Before you can deploy a workflow, you must have:
+## Comparing registries
-- **Early Access approval**: Workflow deployment is currently in Early Access. Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
-- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: New in CRE CLI v1.14.0. When omitted, the CLI defaults to the public onchain Workflow Registry (existing behavior). Set this field to `"private"` to use the Chainlink-hosted private registry, or to `"onchain:ethereum-mainnet"` to explicitly target the onchain registry. Run `cre registry list` to see which registries are available to your organization.
-- **(Onchain registry only) [Linked your key](/cre/reference/cli/account#cre-account-link-key)**: Required only when the target's `deployment-registry` is set to `onchain:ethereum-mainnet`. Link your EOA or multi-sig wallet to your account by running `cre account link-key`. Workflows deployed to the `private` registry do not need a linked key.
-- **(Onchain registry only) A funded wallet**: The deploying account must hold ETH on Ethereum Mainnet to pay gas for the registration transaction. Not required for the `private` registry.
-
-## Choosing your registry
-
-Each target deploys to exactly one registry, selected by the `user-workflow.deployment-registry` field in `workflow.yaml`. Run `cre registry list` to see which registries are available to your organization:
+Run `cre registry list` to see which registries are available to your organization:
```bash
cre registry list
@@ -4971,292 +4961,37 @@ Private (Chainlink-hosted)
Type: off-chain
```
-Use the `ID` value as the value of `deployment-registry` in your `workflow.yaml`.
-
-### Private vs. public workflow management
-
-CRE exposes two ways to manage the lifecycle of a workflow (deploy, activate, pause, update, delete) and its secrets — together, this is the **control plane**. Pick per target by setting `deployment-registry`:
-
-| Workflow management model | `deployment-registry` value | How management is authorized | Key and gas requirements |
-| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
-| Public workflow / onchain registry | `"onchain:ethereum-mainnet"` | A transaction signed by your linked web3 key updates the public Workflow Registry contract. | Requires `cre account link-key`, an Ethereum Mainnet RPC, and ETH for registry transaction gas. |
-| Private workflow / private registry | `"private"` | Your CRE login session authorizes the operation against the Chainlink-hosted private registry. | No linked key, no Ethereum Mainnet RPC, and no gas for registry management. |
-
-Use the private registry when you want centralized, offchain workflow management, especially for lower-friction testing and team-managed workflows. Use the public onchain registry when workflow lifecycle operations must be recorded on the public Workflow Registry contract.
-
-Secrets follow the same authorization split. See [Managing with a web3 key](#managing-with-a-web3-key) and [Managing with auth only](#managing-with-auth-only) below for the per-flow specifics, and [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the secrets equivalent.
-
-### Managing with a web3 key
-
-Use this flow when `deployment-registry: "onchain:ethereum-mainnet"`:
-
-1. Link your EOA or multi-sig wallet to your organization with `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys).
-2. Set `CRE_ETH_PRIVATE_KEY` in your `.env` and add an RPC URL for `ethereum-mainnet` to your `project.yaml`.
-3. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). Each command builds a transaction, prompts you to confirm, and submits it onchain. The Workflow Registry emits an event tying the workflow ID to your wallet address — that address is the workflow's owner and is what you'll see on the CRE platform UI.
-4. For multi-sig wallets, pass `--unsigned` to print the raw transaction data instead of broadcasting. See [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-
-### Managing with auth only
-
-Use this flow when `deployment-registry: "private"`:
-
-1. Log in once with `cre login`.
-2. Run `cre workflow deploy` (or `activate`, `pause`, `delete`, `update`). The CLI authorizes the operation against the Chainlink-hosted registry using your CRE login session. No `.env` private key, no wallet linking, and no Ethereum Mainnet RPC are required for these commands.
-3. Workflows show as `private` in the CRE platform UI. The `Owner` is your CRE organization rather than a wallet address.
-
-For a complete step-by-step walkthrough, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
-
-If a target needs to deploy to the onchain registry but you have no `CRE_ETH_PRIVATE_KEY` configured, the CLI errors out before submitting anything (e.g., `failed to load settings: failed to parse private key. Please check CRE_ETH_PRIVATE_KEY in your .env file or system environment`).
-
-## The deployment process
-
-The `cre workflow deploy` command handles the entire end-to-end process for you:
-
-1. **Compiles** your workflow to a WASM binary.
-2. **Uploads** the compiled binary and any associated configuration files (like your config file or `secrets.yaml`) to the CRE Storage Service.
-3. **Registers** the workflow with the registry selected by `user-workflow.deployment-registry`:
- - **`onchain:ethereum-mainnet`** — submits a transaction to the Workflow Registry contract on **Ethereum Mainnet**. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet` (e.g., `https://ethereum-rpc.publicnode.com`). The transaction contains the workflow's name, owner, and artifact URLs.
- - **`private`** — registers the workflow with the Chainlink-hosted private registry, authorized by your CRE login session. No transaction, gas, or Ethereum Mainnet RPC is required for registry management.
-
-
-
- Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
-
-
-### Step 1: Ensure your configuration is correct
-
-Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment. The `deployment-registry` field is optional — when omitted, the CLI defaults to the public onchain Workflow Registry.
+Use the `ID` value as the `deployment-registry` in your `workflow.yaml`.
-If you are deploying to the onchain registry from a multi-sig wallet, specify your multi-sig address in the `workflow-owner-address` field. If you are deploying to the onchain registry from a standard EOA, you can leave this field unchanged—the owner will be automatically derived from the `CRE_ETH_PRIVATE_KEY` in your `.env` file. Private registry deployments use your CRE login session for workflow management and do not require `workflow-owner-address`.
+| | Private workflow | Public / onchain workflow |
+| ------------------------------- | ------------------------------- | ---------------------------------- |
+| `deployment-registry` value | `"private"` | `"onchain:ethereum-mainnet"` |
+| Authorization | CRE login session | Linked web3 wallet key |
+| Ethereum Mainnet RPC required | No | Yes |
+| ETH for gas (registry ops) | No | Yes |
+| `cre account link-key` required | No | Yes |
+| Creates onchain record | No | Yes, in Workflow Registry contract |
+| Default for `cre init` projects | Yes | No |
+| Ideal for | Testing, team-managed workflows | Production, multisig ownership |
-For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+Secrets follow the same split. See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the per-registry secrets flows.
-### Step 2: Run the deploy command
+## Limits
-**From your project root directory**, run the `deploy` command with the path to your workflow folder.
+Both registry types have per-organization defaults. See [Service Quotas](/cre/service-quotas#registry-quotas) for current values.
-```bash
-cre workflow deploy [flags]
-```
+| | Default limit |
+| ------------------------------------------- | ------------- |
+| Private registry workflows per organization | 3 |
+| Linked keys per organization (onchain) | 1 |
+| Workflows per linked key (onchain) | 3 |
-Example command to target the `production-settings` environment:
+## Deployment guides
-```bash
-cre workflow deploy my-workflow --target production-settings
-```
+For step-by-step instructions, choose the guide for your target registry:
-**Available flags:**
-
-| Flag | Description |
-| ---------------- | --------------------------------------------------------------------------------------- |
-| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
-| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
-| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
-| `--config` | Override the config file path from `workflow.yaml` |
-| `--no-config` | Deploy without a config file |
-| `--unsigned` | Return the raw transaction instead of broadcasting it to the network |
-| `--yes` | Skip confirmation prompts and proceed with the operation |
-| `--project-root` | Path to the project root directory |
-| `--env` | Path to your `.env` file (default: `".env"`) |
-| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
-
-### Step 3: Monitor the output
-
-The CLI will provide detailed logs of the deployment process, including compilation, upload to the CRE Storage Service, and the registry operation. Public onchain deployments include transaction details; private registry deployments do not submit an Ethereum Mainnet transaction.
-
-**Example onchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target production-settings
-
-Deploying Workflow : my-workflow
-Target : production-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Verifying ownership...
-Workflow owner link status: owner=, linked=true
-Key ownership verified
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Preparing deployment transaction...
-Preparing transaction for workflowID:
-Transaction details:
- Chain Name: ethereum-mainnet
- To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Function: UpsertWorkflow
- Inputs:
- [0]: my-workflow
- [1]: my-workflow
- [2]:
- [3]: 0
- [4]: zone-a
- [5]: https://storage.cre.example.com/artifacts//binary.wasm
- [6]: https://storage.cre.example.com/artifacts//config
- [7]: 0x
- [8]: false
- Data: b377bfc50000000000000000000000000000000000...
-Estimated Cost:
- Gas Price: 0.00100001 gwei
- Total Cost: 0.00000079 ETH
-? Do you want to execute this transaction?:
- ▸ Yes
- No
-
-Transaction confirmed
-View on explorer: https://etherscan.io/tx/0x58599f6...d916b
-
-✓ Workflow deployed successfully
-
-Details:
- Registry: onchain:ethereum-mainnet
- Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
- Transaction hash: 0x58599f6...d916b
- Workflow Name: my-workflow
- Workflow ID:
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
-```
-
-**Example private/offchain registry output:**
-
-```bash
-> cre workflow deploy my-workflow --target staging-settings
-
-Deploying Workflow : my-workflow
-Target : staging-settings
-Owner Address :
-
-Compiling workflow...
-Workflow compiled successfully
-
-Uploading files...
-✔ Loaded binary from: ./binary.wasm.br.b64
-✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
-✔ Loaded config from: ./config.json
-✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
-
-Registering workflow in private registry (workflowID: )...
-✓ Workflow registered in private registry
-
-Details:
- Registry: private
- Workflow Name: my-workflow
- Workflow ID:
- Status: Active
- Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
- Config URL: https://storage.cre.example.com/artifacts//config
- Owner:
-```
-
-## Verifying your deployment
-
-After a successful deployment, you can verify that your workflow was registered correctly:
-
-1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization, the registry each was deployed to, and its current status. Workflows on the private registry are tagged `private` in the output.
-
-2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see your workflow's status, ID, and execution history. Workflows deployed to the private registry are also tagged `private` in the UI.
-
-3. **Block Explorer (onchain registry only)**: For workflows deployed with `deployment-registry: "onchain:ethereum-mainnet"`, the CLI output includes the transaction hash for the registration. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
-
-## CI/CD pipeline integration
-
-The `cre workflow build` and `cre workflow deploy` commands can be run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
-
-The separation gives you two key benefits:
-
-- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
-- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
-
-### Example: GitHub Actions
-
-The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
-
-```yaml
-# .github/workflows/deploy.yml
-name: Deploy Workflow
-
-on:
- push:
- branches: [main]
-
-jobs:
- build:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Build workflow
- run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
-
- - name: Display content hashes
- run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
-
- - name: Upload artifact
- uses: actions/upload-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow/binary.wasm
-
- deploy:
- needs: build
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
-
- - name: Install CRE CLI
- run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
-
- - name: Download artifact
- uses: actions/download-artifact@v4
- with:
- name: workflow-binary
- path: ./my-workflow
-
- - name: Deploy workflow
- run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
- env:
- CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
- CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
- INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
-```
-
-
-
- Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
-
-
-
-
- Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
-
-
-## Using multi-sig wallets
-
-The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
-
-For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
-
-## Next steps
-
-- [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry): Step-by-step guide for using the Chainlink-hosted private registry
-- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows): Learn how to control workflow execution
-- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows): Track your workflow's execution and performance
-- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows): Deploy new versions of your workflow
+- **[Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry)** — Uses your CRE login session. No wallet, no gas, no Ethereum Mainnet RPC required for registry operations.
+- **[Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry)** — Requires a linked wallet key and ETH on Ethereum Mainnet for registry transaction gas.
---
@@ -5268,7 +5003,9 @@ Last Updated: 2026-05-06
Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
-The **private registry** is a Chainlink-hosted, offchain workflow registry available as of CRE CLI v1.14.0. Deploying to it works identically to the public onchain registry, with one key difference: all lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+The **private registry** is a Chainlink-hosted, offchain workflow registry. All lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
+
+This is the default registry for new projects initialized with `cre init`. For a comparison of both registry options, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
@@ -5282,7 +5019,7 @@ Before deploying to the private registry, ensure you have:
- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
-- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output (see [Step 1](#step-1-confirm-the-private-registry-is-available) below). Organizations are limited to **3 private registry workflows** by default. See [Service Quotas](/cre/service-quotas#registry-quotas).
+- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output. If no private registry appears, contact your Chainlink account team. Organizations are limited to **3 private registry workflows** by default — see [Service Quotas](/cre/service-quotas#registry-quotas).
- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
Unlike the public onchain registry, you do **not** need:
@@ -5292,34 +5029,11 @@ Unlike the public onchain registry, you do **not** need:
- An Ethereum Mainnet RPC URL in `project.yaml`
- ETH for gas
-## Step 1: Confirm the private registry is available
+## Step 1: Set `deployment-registry` in your `workflow.yaml`
-Run `cre registry list` to see the registries available to your organization:
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Private (off-chain) registries appear first with the cursor pre-selected on them. Selecting `private` writes `deployment-registry: "private"` into both targets of the generated `workflow.yaml` automatically — you can skip the manual step below.
-```bash
-cre registry list
-```
-
-**Example output:**
-
-```
-Registries available to your organization
-
-ethereum-mainnet (0x4Ac5...E7e5)
- ID: onchain:ethereum-mainnet
- Type: on-chain
- Addr: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
-
-Private (Chainlink-hosted)
- ID: private
- Type: off-chain
-```
-
-You need to see a registry with `Type: off-chain` before proceeding. If no private registry appears, your organization has not been provisioned access yet. Contact your Chainlink account team.
-
-## Step 2: Add `deployment-registry` to your `workflow.yaml`
-
-Open your workflow's `workflow.yaml` and add `deployment-registry: "private"` under the `user-workflow` section for the target you want to deploy to:
+If you skipped the step, used `--non-interactive` without `--deployment-registry`, or are adding a new target to an existing project, add `deployment-registry: "private"` under the `user-workflow` section manually:
**TypeScript:**
@@ -5349,14 +5063,12 @@ staging-settings:
secrets-path: ""
```
-The `deployment-registry` field is optional. When omitted, the CLI uses the default public onchain Workflow Registry. Setting it to `"private"` routes all lifecycle operations for that target through the Chainlink-hosted private registry.
-
`deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
-## Step 3: Deploy the workflow
+## Step 2: Deploy the workflow
From your project root, run the deploy command with your target:
@@ -5397,7 +5109,7 @@ Details:
The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
-## Step 4: Verify the deployment
+## Step 3: Verify the deployment
Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
@@ -5537,13 +5249,273 @@ jobs:
## Next steps
-- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Overview of both registry options and the full deployment process
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry) — Deploy with a linked wallet key and onchain record
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands
---
+# Deploying to the Onchain Registry
+Source: https://docs.chain.link/cre/guides/operations/deploying-to-onchain-registry
+Last Updated: 2026-05-06
+
+
+ Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
+
+
+The **public onchain registry** is the Workflow Registry contract on Ethereum Mainnet. Deploying to it records your workflow onchain — your linked wallet address becomes the workflow owner and every lifecycle operation (deploy, activate, pause, update, delete) submits a transaction to that contract.
+
+For a lower-friction alternative that requires no wallet or gas for registry management, see [Deploying to the Private Registry](/cre/guides/operations/deploying-to-private-registry).
+
+## Prerequisites
+
+Before deploying to the onchain registry, ensure you have:
+
+- **Early Access approval**: Run `cre account access` to check your status or submit a request. See [Requesting Deploy Access](/cre/account/deploy-access).
+- **[Authenticated](/cre/reference/cli/authentication)**: Logged in via `cre login` or using an [API key](/cre/reference/cli/authentication#api-key-authentication) (`CRE_API_KEY`). To verify, run `cre whoami`.
+- **[Linked your key](/cre/organization/linking-keys)**: Linked your EOA or multi-sig wallet to your CRE organization by running `cre account link-key`. See [Linking Wallet Keys](/cre/organization/linking-keys) for instructions.
+- **A funded wallet**: The account you are deploying from must hold ETH on Ethereum Mainnet to pay gas for the registration transaction.
+- **`CRE_ETH_PRIVATE_KEY` in your `.env`**: Your wallet's private key, used by the CLI to sign registry transactions.
+- **An Ethereum Mainnet RPC URL in `project.yaml`**: Required for the CLI to submit transactions. Example: `https://ethereum-rpc.publicnode.com`.
+- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
+
+## The deployment process
+
+The `cre workflow deploy` command handles the entire end-to-end process:
+
+1. **Compiles** your workflow to a WASM binary.
+2. **Uploads** the compiled binary and any associated configuration files to the CRE Storage Service.
+3. **Registers** the workflow onchain by submitting a transaction to the Workflow Registry contract on Ethereum Mainnet. Your wallet must have ETH for gas fees, and your `project.yaml` must include an RPC configuration for `ethereum-mainnet`. The transaction contains the workflow's name, owner, and artifact URLs.
+
+
+
+ Chainlink Runtime Environment (CRE) deployment is in the "Early Access" stage of development, which means that CRE currently has functionality which is under development and may be changed in later versions. By using CRE, you expressly acknowledge and agree to accept the Chainlink Terms of Service , which provides important information and disclosures.
+
+
+### Step 1: Ensure your configuration is correct
+
+Before deploying, ensure your `workflow.yaml` file is correctly configured. The `workflow-name` field is required under the `user-workflow` section for your target environment.
+
+When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Selecting `onchain:ethereum-mainnet` writes `deployment-registry: "onchain:ethereum-mainnet"` into the generated `workflow.yaml` automatically. If you chose the onchain registry during init, your config is already set.
+
+If you initialized without selecting a registry, or are adding a new target, add `deployment-registry: "onchain:ethereum-mainnet"` explicitly. The field is optional — when omitted the CLI defaults to onchain — but setting it is recommended to make the intent clear.
+
+```yaml
+# workflow.yaml
+production-settings:
+ user-workflow:
+ workflow-name: "my-workflow-production"
+ deployment-registry: "onchain:ethereum-mainnet"
+ workflow-artifacts:
+ workflow-path: "./main.ts" # Go: "."
+ config-path: "./config.production.json"
+ secrets-path: ""
+```
+
+If you are deploying from a **multi-sig wallet**, specify your multi-sig address in the `workflow-owner-address` field. If deploying from a standard EOA, leave this field out — the owner is automatically derived from `CRE_ETH_PRIVATE_KEY` in your `.env` file.
+
+For more details on configuration, see the [Project Configuration](/cre/reference/project-configuration) reference.
+
+### Step 2: Run the deploy command
+
+**From your project root directory**, run the `deploy` command with the path to your workflow folder:
+
+```bash
+cre workflow deploy [flags]
+```
+
+Example command targeting the `production-settings` environment:
+
+```bash
+cre workflow deploy my-workflow --target production-settings
+```
+
+**Available flags:**
+
+| Flag | Description |
+| ---------------- | --------------------------------------------------------------------------------------- |
+| `--target` | Sets the target environment from your configuration files (e.g., `production-settings`) |
+| `--output` | The output file for the compiled WASM binary (default: `"./binary.wasm.br.b64"`) |
+| `--wasm` | Path to a pre-built WASM binary (skips compilation). Useful in CI/CD pipelines |
+| `--config` | Override the config file path from `workflow.yaml` |
+| `--no-config` | Deploy without a config file |
+| `--unsigned` | Return the raw transaction instead of broadcasting it (for multi-sig wallets) |
+| `--yes` | Skip confirmation prompts and proceed with the operation |
+| `--project-root` | Path to the project root directory |
+| `--env` | Path to your `.env` file (default: `".env"`) |
+| `--verbose` | Enable verbose logging to print `DEBUG` level logs |
+
+### Step 3: Monitor the output
+
+The CLI provides detailed logs of the compilation, upload, and the onchain registration transaction:
+
+```bash
+> cre workflow deploy my-workflow --target production-settings
+
+Deploying Workflow : my-workflow
+Target : production-settings
+Owner Address :
+
+Compiling workflow...
+Workflow compiled successfully
+
+Verifying ownership...
+Workflow owner link status: owner=, linked=true
+Key ownership verified
+
+Uploading files...
+✔ Loaded binary from: ./binary.wasm.br.b64
+✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
+✔ Loaded config from: ./config.json
+✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
+
+Preparing deployment transaction...
+Preparing transaction for workflowID:
+Transaction details:
+ Chain Name: ethereum-mainnet
+ To: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Function: UpsertWorkflow
+ Inputs:
+ [0]: my-workflow
+ [1]: my-workflow
+ [2]:
+ [3]: 0
+ [4]: zone-a
+ [5]: https://storage.cre.example.com/artifacts//binary.wasm
+ [6]: https://storage.cre.example.com/artifacts//config
+ [7]: 0x
+ [8]: false
+ Data: b377bfc50000000000000000000000000000000000...
+Estimated Cost:
+ Gas Price: 0.00100001 gwei
+ Total Cost: 0.00000079 ETH
+? Do you want to execute this transaction?:
+ ▸ Yes
+ No
+
+Transaction confirmed
+View on explorer: https://etherscan.io/tx/0x58599f6...d916b
+
+✓ Workflow deployed successfully
+
+Details:
+ Registry: onchain:ethereum-mainnet
+ Contract address: 0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5
+ Transaction hash: 0x58599f6...d916b
+ Workflow Name: my-workflow
+ Workflow ID:
+ Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
+ Config URL: https://storage.cre.example.com/artifacts//config
+```
+
+## Verifying your deployment
+
+After a successful deployment, verify your workflow was registered correctly:
+
+1. **CLI**: Run [`cre workflow list`](/cre/reference/cli/workflow#cre-workflow-list) to see every workflow registered to your organization and its current status.
+
+2. **CRE UI**: View your deployed workflow in the [CRE platform](https://app.chain.link/cre/discover). Navigate to the **Workflows** section to see the workflow's status, ID, and execution history.
+
+3. **Block Explorer**: The CLI output includes the transaction hash. The `WorkflowRegistry` contract is deployed on **Ethereum Mainnet** at `0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5` .
+
+## CI/CD pipeline integration
+
+The `cre workflow build` and `cre workflow deploy` commands can run as independent steps, making it straightforward to integrate CRE deployments into CI/CD pipelines.
+
+The separation gives you two key benefits:
+
+- **Build once, deploy many times** — Compile your workflow to a WASM binary in a build step, then promote that exact binary to staging and production without recompiling. This ensures the artifact you tested is the artifact you deploy.
+- **Verify before deploying** — Use `cre workflow hash` after building to record and verify content hashes before submitting a deployment transaction.
+
+### Example: GitHub Actions
+
+The following example shows a two-job pipeline: a `build` job that compiles and uploads the WASM artifact, and a `deploy` job that downloads and deploys that exact binary.
+
+```yaml
+# .github/workflows/deploy.yml
+name: Deploy Workflow
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Build workflow
+ run: cre workflow build ./my-workflow --output ./my-workflow/binary.wasm --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+
+ - name: Display content hashes
+ run: cre workflow hash ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+
+ - name: Upload artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow/binary.wasm
+
+ deploy:
+ needs: build
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install CRE CLI
+ run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
+
+ - name: Download artifact
+ uses: actions/download-artifact@v4
+ with:
+ name: workflow-binary
+ path: ./my-workflow
+
+ - name: Deploy workflow
+ run: cre workflow deploy ./my-workflow --wasm ./my-workflow/binary.wasm --target production-settings --yes --non-interactive
+ env:
+ CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
+ CRE_ETH_PRIVATE_KEY: ${{ secrets.CRE_ETH_PRIVATE_KEY }}
+ INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
+```
+
+
+
+ Use `CRE_API_KEY` for non-interactive authentication in CI/CD pipelines instead of `cre login`, and pass `--non-interactive` so commands fail instead of prompting. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
+
+
+
+
+ Use `${VAR_NAME}` syntax in your `project.yaml` RPC URLs to inject secrets from your CI/CD environment. See [Environment variable interpolation in RPC URLs](/cre/reference/project-configuration#environment-variable-interpolation-in-rpc-urls) for details.
+
+
+## Using multi-sig wallets
+
+The `deploy` command supports multi-sig wallets through the `--unsigned` flag. When using this flag, the CLI generates raw transaction data that you can submit through your multi-sig wallet interface instead of sending the transaction directly.
+
+For complete setup instructions, configuration requirements, and step-by-step guidance, see [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets).
+
+## Next steps
+
+- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
+- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
+- [Monitoring Workflows](/cre/guides/operations/monitoring-workflows) — Track your workflow's execution and performance
+- [Updating Deployed Workflows](/cre/guides/operations/updating-deployed-workflows) — Deploy new versions of your workflow
+- [Using Multi-sig Wallets](/cre/guides/operations/using-multisig-wallets) — Multi-sig wallet setup and transaction signing
+
+---
+
# Activating & Pausing Workflows
Source: https://docs.chain.link/cre/guides/operations/activating-pausing-workflows
Last Updated: 2025-11-04
@@ -5563,7 +5535,7 @@ Before activating or pausing workflows, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run these commands from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to activate or pause.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check your authentication status, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account you are using must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Activating a workflow
@@ -5734,7 +5706,7 @@ Before updating a deployed workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to update.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Updating a workflow
@@ -5798,7 +5770,7 @@ Before deleting a workflow, ensure you have:
- **Workflow authorization**: You must be authorized to manage the workflow. Public onchain registry workflows use the linked workflow owner address. Private registry workflows use your CRE organization login session.
- **Local workflow folder**: You must run this command from your project directory. The CLI reads the workflow name and configuration from your `workflow.yaml` file to identify which workflow to delete.
- **[Logged in](/cre/reference/cli/authentication#cre-login)**: Authenticated with the platform by running `cre login`. To check if you are logged in, run `cre whoami`.
-- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+- **(Optional) `deployment-registry` in `workflow.yaml`**: When omitted, the CLI uses the default onchain registry. Set to `"private"` to manage the workflow via the Chainlink-hosted private registry. See [Choosing your registry](/cre/guides/operations/deploying-workflows#comparing-registries).
- **(Onchain registry only) A funded wallet**: The account must be funded with ETH on Ethereum Mainnet to pay gas for the registry transaction.
## Deleting a workflow
@@ -9446,7 +9418,7 @@ Private (Chainlink-hosted)
Type: off-chain
```
-The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#comparing-registries).
If no registries are found for your environment, the command prints a warning and exits cleanly.
diff --git a/src/content/cre/reference/cli/registry.mdx b/src/content/cre/reference/cli/registry.mdx
index 6ba3e83940b..d0f2c6990db 100644
--- a/src/content/cre/reference/cli/registry.mdx
+++ b/src/content/cre/reference/cli/registry.mdx
@@ -58,7 +58,7 @@ Private (Chainlink-hosted)
Type: off-chain
```
-The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#choosing-your-registry).
+The `ID` value is what you put in the optional `user-workflow.deployment-registry` field of your `workflow.yaml` to target that registry on `cre workflow deploy`. See [Project Configuration](/cre/reference/project-configuration#3-2-workflow-configuration-workflow-yaml) and [Deploying Workflows](/cre/guides/operations/deploying-workflows#comparing-registries).
If no registries are found for your environment, the command prints a warning and exits cleanly.