Authentication
The Orka API uses API keys to authenticate requests. This page covers how to create, use, and manage your API keys.
API Keys
API keys are used to authenticate all requests to the Orka API. Each key is associated with a workspace and has specific permissions.
Creating an API Key
- Log in to your Orka dashboard
- Go to Settings → API Keys
- Click Create New Key
- Give your key a descriptive name (e.g., "Production Server", "Development")
- Select the appropriate permissions
- Click Create
Save Your Key
Your API key will only be shown once. Copy it immediately and store it in a secure location like a password manager or environment variable.
Using Your API Key
Include your API key in the Authorization header of all requests:
1Authorization: Bearer sk_your_api_key_hereExample with cURL
1curl https://api.orka.ai/v1/agents \2 -H "Authorization: Bearer sk_your_api_key_here"Example with JavaScript
1const response = await fetch('https://api.orka.ai/v1/agents', {2 headers: {3 'Authorization': `Bearer ${process.env.ORKA_API_KEY}`,4 'Content-Type': 'application/json',5 },6});Example with Python
1import requests2import os34response = requests.get(5 'https://api.orka.ai/v1/agents',6 headers={7 'Authorization': f'Bearer {os.environ["ORKA_API_KEY"]}'8 }9)Key Types
| Type | Prefix | Description |
|------|--------|-------------|
| Secret Key | sk_ | Full API access, use on servers only |
| Publishable Key | pk_ | Limited access, safe for client-side (read-only) |
Never Expose Secret Keys
Secret keys (sk_) should never be exposed in client-side code, committed to version control, or shared publicly. Use environment variables to manage secrets.
Key Permissions
When creating an API key, you can restrict its permissions:
| Permission | Description |
|------------|-------------|
| agents:read | List and view agents |
| agents:write | Create, update, and delete agents |
| datastores:read | List and view datastores |
| datastores:write | Create, update, and delete datastores |
| documents:read | List and view documents |
| documents:write | Upload and delete documents |
| chat:query | Send chat queries |
Example: Read-Only Key
For applications that only need to query agents, create a key with only:
agents:readdatastores:readchat:query
Managing Keys
Listing Keys
View all your API keys in the dashboard under Settings → API Keys. For security, only the first and last 4 characters of each key are shown.
Revoking Keys
To revoke a key:
- Go to Settings → API Keys
- Find the key you want to revoke
- Click the Delete button
- Confirm the deletion
Revoking a key is immediate and permanent. Any applications using that key will immediately lose access.
Rotating Keys
To rotate a key:
- Create a new API key
- Update your applications to use the new key
- Verify the new key works correctly
- Delete the old key
Best Practices
Environment Variables
Store API keys in environment variables:
1# .env file (never commit this!)2ORKA_API_KEY=sk_your_api_key_hereLoad in your application:
1// Node.js2const apiKey = process.env.ORKA_API_KEY;1# Python2import os3api_key = os.environ.get("ORKA_API_KEY")Key Naming
Use descriptive names for your keys:
- Good:
Production Server,CI/CD Pipeline,Local Development - Bad:
Key 1,test,asdf
Least Privilege
Create keys with only the permissions they need. A read-only dashboard doesn't need write permissions.
Regular Rotation
Rotate your API keys periodically (e.g., every 90 days) and immediately if you suspect a key has been compromised.
Error Responses
Invalid API Key
1{2 "error": {3 "code": "authentication_error",4 "message": "Invalid API key provided."5 }6}Status Code: 401 Unauthorized
Missing API Key
1{2 "error": {3 "code": "authentication_error",4 "message": "No API key provided. Include your API key in the Authorization header."5 }6}Status Code: 401 Unauthorized
Insufficient Permissions
1{2 "error": {3 "code": "permission_denied",4 "message": "This API key does not have permission to perform this action."5 }6}Status Code: 403 Forbidden