# Deploying to the Private Registry
Source: https://docs.chain.link/cre/guides/operations/deploying-to-private-registry
Last Updated: 2026-05-06
> For the complete documentation index, see [llms.txt](/llms.txt).
> **NOTE: Early Access required**
>
> Workflow deployment is currently in Early Access. Run `cre account access` or visit app.chain.link/cre/request-access to submit a request. See [Requesting Deploy Access](/cre/account/deploy-access) for details.
The **private registry** is a Chainlink-hosted, offchain workflow registry. All lifecycle operations (deploy, activate, pause, delete, update) are authorized by your CRE login session — not a linked wallet key. There are no Ethereum Mainnet transactions and no gas fees for registry management.
This is the default registry for new projects initialized with `cre init`. For a comparison of both registry options, see [Deploying Workflows](/cre/guides/operations/deploying-workflows).
> **NOTE: Private is not confidential**
>
> The private registry is a private, centralized control plane for workflow management. **It does not make workflow execution confidential.** See [Private workflow](/cre/key-terms#private-workflow) in Key Terms for the distinction.
## Prerequisites
Before deploying to the private registry, ensure you have:
- **CRE CLI v1.14.0 or later**: Run `cre version` to check. See the [Installation Guide](/cre/getting-started/cli-installation/macos-linux) to install or update.
- **Early Access approval**: Run `cre account access` to check your status. See [Requesting Deploy Access](/cre/account/deploy-access).
- **[Logged in](/cre/account/cli-login)**: Run `cre login` and complete the browser authentication flow. API keys also work: set `CRE_API_KEY` in your environment.
- **Private registry enabled for your organization**: Run `cre registry list` and confirm a registry with `Type: off-chain` appears in the output. If no private registry appears, contact your Chainlink account team. Organizations are limited to **3 private registry workflows** by default — see [Service Quotas](/cre/service-quotas#registry-quotas).
- **A workflow project**: An existing project created with `cre init`. See [Part 1: Project Setup](/cre/getting-started/part-1-project-setup-ts) for the TypeScript guide or [Go guide](/cre/getting-started/part-1-project-setup-go).
Unlike the public onchain registry, you do **not** need:
- A linked wallet key (`cre account link-key`)
- `CRE_ETH_PRIVATE_KEY` in your `.env` file
- An Ethereum Mainnet RPC URL in `project.yaml`
- ETH for gas
## Step 1: Set `deployment-registry` in your `workflow.yaml`
When you run `cre init`, the wizard prompts you to select a deployment registry after entering your workflow name. Private (off-chain) registries appear first with the cursor pre-selected on them. Selecting `private` writes `deployment-registry: "private"` into both targets of the generated `workflow.yaml` automatically — you can skip the manual step below.
If you skipped the step, used `--non-interactive` without `--deployment-registry`, or are adding a new target to an existing project, add `deployment-registry: "private"` under the `user-workflow` section manually:
**TypeScript:**
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-workflow-staging"
deployment-registry: "private"
workflow-artifacts:
workflow-path: "./main.ts"
config-path: "./config.staging.json"
secrets-path: ""
```
**Go:**
```yaml
# workflow.yaml
staging-settings:
user-workflow:
workflow-name: "my-workflow-staging"
deployment-registry: "private"
workflow-artifacts:
workflow-path: "."
config-path: "./config.staging.json"
secrets-path: ""
```
> **NOTE: Per-target setting**
>
> `deployment-registry` is set per target. You can have one target deploy to `private` and another deploy to `onchain:ethereum-mainnet` in the same `workflow.yaml`. Lifecycle commands (`activate`, `pause`, `delete`, `update`) automatically use the registry configured for the target you pass with `--target`.
## Step 2: Deploy the workflow
From your project root, run the deploy command with your target:
```bash
cre workflow deploy my-workflow --target staging-settings
```
The CLI compiles your workflow, uploads the artifacts to the CRE Storage Service, and registers the workflow with the private registry using your CRE login session. There is no transaction prompt.
**Example output:**
```
Deploying Workflow : my-workflow
Target : staging-settings
Owner Address :
Compiling workflow...
Workflow compiled successfully
Uploading files...
✔ Loaded binary from: ./binary.wasm.br.b64
✔ Uploaded binary to: https://storage.cre.example.com/artifacts//binary.wasm
✔ Loaded config from: ./config.staging.json
✔ Uploaded config to: https://storage.cre.example.com/artifacts//config
Registering workflow in private registry (workflowID: )...
✓ Workflow registered in private registry
Details:
Registry: private
Workflow Name: my-workflow
Workflow ID:
Status: Active
Binary URL: https://storage.cre.example.com/artifacts//binary.wasm
Config URL: https://storage.cre.example.com/artifacts//config
Owner:
```
The workflow is registered and active immediately. Notice there is no transaction hash, no gas cost, and the `Owner` is your CRE organization rather than a wallet address.
## Step 3: Verify the deployment
Run `cre workflow list` to confirm the workflow appears and is registered to the private registry:
```bash
cre workflow list
```
Workflows deployed to the private registry are tagged with the registry ID `private` in the list output. You can also filter to only show private registry workflows:
```bash
cre workflow list --registry private
```
You can also view the workflow in the [CRE platform](https://app.chain.link/cre/discover) under **Workflows**.
## Managing a private registry workflow
All standard lifecycle commands work the same way for private registry workflows. The CLI routes the operation through the Chainlink-hosted registry automatically based on the `deployment-registry` value in your `workflow.yaml`.
### Activate
```bash
cre workflow activate my-workflow --target staging-settings
```
**Example output:**
```
Fetching workflow to activate... Name=my-workflow
Processing activation for workflow ID ...
✓ Workflow activated successfully
Details:
Registry: private
Workflow Name: my-workflow
Workflow ID:
Status: Active
Owner:
```
### Pause
```bash
cre workflow pause my-workflow --target staging-settings
```
**Example output:**
```
Fetching workflow to pause... Name=my-workflow
Processing pause for workflow ID ...
✓ Workflow paused successfully
Details:
Registry: private
Workflow Name: my-workflow
Workflow ID:
Status: Paused
Owner:
```
### Update
Redeploy with the same workflow name to update a private registry workflow. The CLI replaces the existing registration:
```bash
cre workflow deploy my-workflow --target staging-settings
```
The CLI prompts you to confirm before overwriting the existing workflow. Pass `--yes` to skip the prompt.
### Delete
```bash
cre workflow delete my-workflow --target staging-settings
```
The CLI fetches the workflow, displays its details, and prompts you to type the workflow name to confirm. This action is permanent.
> **CAUTION: Deletion is permanent**
>
> Deleting a workflow from the private registry permanently removes it and cannot be undone. The workflow will no longer respond to triggers.
## Secrets with the private registry
Secrets for private registry workflows are authorized through a browser-based OAuth (PKCE) flow rather than your linked wallet key. Use the `--secrets-auth=browser` flag on any `cre secrets` command:
```bash
# Create secrets for a private registry workflow
cre secrets create secrets.yaml --target staging-settings --secrets-auth=browser
# Update secrets
cre secrets update secrets.yaml --target staging-settings --secrets-auth=browser
# List secrets
cre secrets list --target staging-settings --secrets-auth=browser
```
When you pass `--secrets-auth=browser`, the CLI opens a browser window to authorize the operation against the Vault DON using your CRE login session. No wallet, no `workflow-owner-address`, and no gas are required.
See [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) for the full secrets guide.
## CI/CD with the private registry
Because the private registry does not require `CRE_ETH_PRIVATE_KEY` or an Ethereum Mainnet RPC, CI/CD pipelines are simpler. You only need `CRE_API_KEY`:
```yaml
# .github/workflows/deploy-private.yml
name: Deploy to Private Registry
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install CRE CLI
run: curl -sSL https://github.com/smartcontractkit/cre-cli/releases/latest/download/install.sh | sh
- name: Deploy workflow
run: cre workflow deploy ./my-workflow --target staging-settings --yes --non-interactive
env:
CRE_API_KEY: ${{ secrets.CRE_API_KEY }}
```
> **NOTE: API key authentication**
>
> Use `CRE_API_KEY` for non-interactive CI/CD authentication. Create an API key from the CRE platform under **Organization → APIs**. See [Authentication](/cre/reference/cli/authentication#api-key-authentication) for setup instructions.
## Next steps
- [Deploying Workflows](/cre/guides/operations/deploying-workflows) — Registry overview and comparison
- [Deploying to the Onchain Registry](/cre/guides/operations/deploying-to-onchain-registry) — Deploy with a linked wallet key and onchain record
- [Activating & Pausing Workflows](/cre/guides/operations/activating-pausing-workflows) — Control workflow execution state
- [Using Secrets with Deployed Workflows](/cre/guides/workflow/secrets/using-secrets-deployed) — Manage secrets for deployed workflows
- [Registry Commands Reference](/cre/reference/cli/registry) — `cre registry list` and related commands