> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Heroku connector

> C1 provides identity governance for Heroku. Integrate your Heroku platform with C1 for unified visibility and governance over user, team, app collaborator, and enterprise account access.

C1 provides identity governance for Heroku. Integrate your Heroku instance
with C1 for unified visibility and governance over user, team, app
collaborator, and enterprise account access.

## Capabilities

| Resource            | Sync                                                          | Provision                                                     |
| ------------------- | ------------------------------------------------------------- | ------------------------------------------------------------- |
| Users               | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Teams               | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Enterprise accounts | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Apps                | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |

Teams expose `admin`, `member`, `viewer`, `collaborator`, and `owner` role
entitlements. Enterprise accounts expose `view`, `create`, `manage`, and
`billing` permission entitlements. Apps expose a `collaborator` entitlement
plus the `view`, `deploy`, `operate`, and `manage` permission entitlements.

## Gather Heroku credentials

<Warning>
  To configure the Heroku connector, you need an API token with `global` or
  `write-protected` scope on the Heroku account that will own the connector.
  Federated/SSO users cannot mint non-expiring API tokens — create a dedicated
  service account in that case.
</Warning>

<Steps>
  <Step>
    Sign in to Heroku with the account you want to use for the integration.
    For SSO/federated organizations, sign in as a non-federated service
    account.
  </Step>

  <Step>
    Create a long-lived API token by running:

    ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    heroku authorizations:create --description "ConductorOne" --scope global
    ```

    The `--scope global` flag is the simplest option and grants full
    read/write access. For minimum-privilege provisioning, use
    `--scope write-protected` instead. Read-only sync works with
    `--scope read`.
  </Step>

  <Step>
    Copy the value from the `Token` field of the command output. It begins
    with `HRKU-`.
  </Step>
</Steps>

## Configure the Heroku connector

<Tabs>
  <Tab title="Cloud-hosted">
    Follow these instructions to use a built-in, no-code connector hosted by C1.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Heroku** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Heroku connector.
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the Heroku credentials:

        * **API token**: The `HRKU-…` token created above.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Heroku connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    Follow these instructions to run the Heroku connector in your own
    environment.

    <Steps>
      <Step>
        Create a secret containing the Heroku API token.
      </Step>

      <Step>
        Configure the connector environment variables:

        * **BATON\_API\_TOKEN**: The `HRKU-…` token created above.
      </Step>

      <Step>
        Deploy the connector using your standard self-hosted connector process.
      </Step>
    </Steps>

    **Done.** Your Heroku connector is now pulling access data into C1.
  </Tab>
</Tabs>
