diff --git a/.github/workflows/testme.yml b/.github/workflows/testme.yml
index 391f6b4..16c97e7 100644
--- a/.github/workflows/testme.yml
+++ b/.github/workflows/testme.yml
@@ -23,4 +23,5 @@ jobs:
         meta-path: test/meta.json
         org-id: ${{ secrets.test_org_id }}
         do-upload: false
-        cli-config-secret: ${{ secrets.cli_config }}
+        key-id: ${{ secrets.viam_key_id }}
+        key-value: ${{ secrets.viam_key_value }}
diff --git a/README.md b/README.md
index e723fc7..9618664 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,5 @@
 # upload-module action
 
-> [!NOTE]
-> These are pre-release instructions for people who want to test this action, and will not work well yet for production flows.
-
 This action uploads your module to the Viam modular registry. By default it runs both `update` (set your metadata) and `upload` (upload the module), but you can disable either step with configuration (see action.yml).
 
 For more information about the parameters, look at:
@@ -15,8 +12,8 @@ Or keep reading for a tutorial.
 
 1. Go to the 'Actions' tab of your repo -> 'create a new workflow' -> 'set up yourself'
 1. Paste in the following YAML, then edit all the lines marked with `<--`
-1. Follow the 'setting CLI config secret' instructions [below](#setting-cli-config-secret)
-1. Push to a branch or create a release -- your module should upload to our registry with the appropriate version
+1. Follow the 'setting up auth' instructions [below](#setting-up-auth)
+1. Push a commit or create a release -- your module should upload to our registry with the appropriate version
 
 ```yml
 on:
@@ -38,31 +35,20 @@ jobs:
         org-id: your-org-id-uuid # <-- replace with your org ID. not required for public modules
         platform: linux/amd64 # <-- replace with your target architecture, or your module will not deploy
         version: ${{ github.event_name == 'release' && github.ref_name || format('0.0.0-{0}.{1}', github.ref_name, github.run_number) }} # <-- see 'Versioning' section below for explanation
-        cli-config-secret: ${{ secrets.cli_config }}
+        key-id: ${{ secrets.viam_key_id }}
+        key-value: ${{ secrets.viam_key_value }}
 ```
 
-## Setting CLI config secret
-
-> [!NOTE]
-> These are pre-release instructions for testing this action, and will not work well for production flows. These instructions will give you a short lived access token that cannot self-update after its first refresh. Stay tuned.
-
-Base64-encode your CLI secret by running:
-
-```sh
-# run this on the device where you installed the `viam` CLI
-cat ~/.viam/cached_cli_config.json | base64
-```
-
-(If that json file doesn't exist, run `viam login` first).
-
-Then:
-- copy the output of that command to the clipboard
-- go to 'Settings' -> 'Secrets and variables' -> 'Actions' in your repo
-- click the 'New repository secret' button
-- name your secret `cli_config` (so it agrees with `secrets.cli_config` in the sample YAML)
-- paste the base64 output into the secret body
+## Setting up auth
 
-The publish job will run on your next release. You can trigger a re-run of a previous failed job from your repo's 'Actions' tab.
+1. Run `viam organizations list` to view your organization ID.
+2. Create a key with `viam organization api-key create --org-id $YOUR_ORG_UUID --name pick-any-name`. This command outputs an ID + a value, both of which you will use in step 4 below.
+3. In the github repo for your project, go to 'Settings' -> 'Secrets and variables' -> 'Actions'
+4. Create two new secrets using the 'New repository secret' button:
+  - `viam_key_id` with the UUID from "Key ID:" in your terminal
+  - `viam_key_value` with the string from "Key Value:" in your terminal
+5. All set! If you copy the YAML example above, it will use these secrets to authenticate to Viam. If you have already tried the action and it failed because the secrets were missing, you can trigger a re-run from your repo's 'Actions' tab.
+from your repo's 'Actions' tab.
 
 ## Versioning
 
diff --git a/action.yml b/action.yml
index 746d978..8fb6daa 100644
--- a/action.yml
+++ b/action.yml
@@ -14,8 +14,12 @@ inputs:
     description: organization id. one of org-id or namespace are required if your meta.json doesn't use a namespace
   namespace:
     description: public namespace. one of org-id or namespace are required if your meta.json doesn't use a namespace
-  cli-config-secret:
-    description: cached_cli_config.json contents from ~/.viam, as base64. Alternative to providing an auth key.
+  key-id:
+    description: ID of your auth key
+    required: true
+  key-value:
+    description: secret value of your auth key
+    required: true
   platform:
     description: a string like 'linux/amd64'. run `viam module upload --help` for all options.
   version:
@@ -51,6 +55,8 @@ runs:
   - ${{ inputs.version || '' }}
   - ${{ fromJSON(inputs.do-update) && '--do-update' || '' }}
   - ${{ fromJSON(inputs.do-upload) && '--do-upload' || '' }}
+  - --key-id=${{ inputs.key-id }}
+  - --key-value=${{ inputs.key-value }}
 
 branding:
   icon: upload-cloud
diff --git a/upload.py b/upload.py
index d2fea0a..287adad 100755
--- a/upload.py
+++ b/upload.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 "upload.py -- maps action params to viam update + upload commands"
 
-import argparse, os, subprocess, base64, logging, platform
+import argparse, subprocess, logging, platform
 
 # map platform.uname.machine -> GOARCH
 ARCH_LOOKUP = {
@@ -22,7 +22,8 @@ def main():
     g2.add_argument('--namespace')
 
     p.add_argument('--module-path')
-    p.add_argument('--cli-config-secret')
+    p.add_argument('--key-id', required=True)
+    p.add_argument('--key-value', required=True)
     p.add_argument('--platform')
     p.add_argument('--version')
     p.add_argument('--do-update', action='store_true')
@@ -30,12 +31,6 @@ def main():
     args, _ = p.parse_known_args()
     logging.basicConfig(level=logging.INFO)
 
-    if args.cli_config_secret:
-        os.makedirs(os.path.expanduser('~/.viam'), exist_ok=True)
-        with open(os.path.expanduser('~/.viam/cached_cli_config.json'), 'wb') as fconfig:
-            fconfig.write(base64.b64decode(args.cli_config_secret))
-        logging.info('wrote cli secret')
-
     meta_args = ()
     if args.meta_path:
         meta_args = ('--module', args.meta_path)
@@ -49,6 +44,7 @@ def main():
     logging.info('selected command %s based on arch %s', command, platform.uname().machine)
 
     subprocess.check_call([command, 'version'])
+    subprocess.check_call([command, 'auth', 'api-key', '--key-id', args.key_id, '--key', args.key_value])
     if args.do_update:
         subprocess.check_call([command, 'module', 'update', *meta_args, *org_args])
         logging.info('ran update')