Issue
Your API key has expired unexpectedly and you're receiving 403 Forbidden errors when hitting API endpoints.
Resolution
Use heroku authorizations:create for production apps, use heroku auth:token for development.
There are multiple ways to create API keys and all of them have different expiration policies. This is further compounded by the fact that you can manually modify these expiration dates depending on your requirements and whether your user account is SSO enabled.
In the Heroku Dev Center you'll see the CLI command heroku auth:token. This command works by showing the token that is associated with the account that you are logged into Heroku with. By default, this token expires a year after you log in. This token will also expire if you run heroku logout from the CLI. Furthermore, if you have SSO enabled, this token will expire 8 hours after you login. While this command is appropriate for development, you will want to avoid it for production use.
The Heroku Dashboard offers an API key on your Account settings if your user account is not SSO enabled.
While this key does not have a hard-coded expiration date, it will expire whenever your account password changes. In an enterprise context, where passwords can be changed at a steady cadence, you may find this limitation to be onerous.
If your account is not SSO enabled, heroku authorizations:create allows you to create a token that expires at a specific time or never expires. You can also use heroku authorizations:revoke to delete it immediately. Finally you can add a description to this token, making it easier to document how the token is being used.
We recommend that Enterprise Accounts and Teams that have enabled SSO for their users and need a long lived token for integration maintain a user account that is not SSO enabled to create and manage tokens.