Documentation

API Keys

Authenticate with the OrbitKit API using API keys from your dashboard.

API keys provide long-lived authentication for CI/CD pipelines, scripts, and the OrbitKit CLI. API keys remain valid until revoked.

Create a key

  1. Go to the OrbitKit dashboard
  2. Navigate to Settings → API Keys
  3. Click Create API Key and give it a name (e.g., “CI/CD Pipeline”)
  4. Copy the key immediately — it is only shown once

Limits

  • Maximum 10 active keys per account
  • Key creation is rate-limited to 5 per hour

Key format

ok_BRTRKFsL_51FwqftsmMDHHbJAMEXXHCgG
│  │         └── secret token (24 chars) — never stored, only its hash
│  └── key ID (8 chars) — used to identify the key
└── prefix — identifies OrbitKit keys for secret scanners

The ok_ prefix is recognized by GitHub secret scanning and GitGuardian, so accidentally committed keys are flagged automatically.

Using an API key

Pass the key in the Authorization header:

curl -H "Authorization: Bearer ok_BRTRKFsL_51FwqftsmMDHHbJAMEXXHCgG" \
     https://api.orbitkit.io/api/apps

let url = URL(string: "https://api.orbitkit.io/api/apps")!
var request = URLRequest(url: url)
request.setValue("Bearer ok_BRTRKFsL_51FwqftsmMDHHbJAMEXXHCgG",
                 forHTTPHeaderField: "Authorization")

let (data, _) = try await URLSession.shared.data(for: request)
let apps = try JSONDecoder().decode([App].self, from: data)

const res = await fetch("https://api.orbitkit.io/api/apps", {
  headers: {
    Authorization: "Bearer ok_BRTRKFsL_51FwqftsmMDHHbJAMEXXHCgG",
  },
});
const apps = await res.json();

Or set it as an environment variable for the CLI:

export ORBITKIT_API_KEY=ok_BRTRKFsL_51FwqftsmMDHHbJAMEXXHCgG
orbitkit whoami

API keys work with every endpoint. The key identifies your account.

Revoke a key

  1. Go to the OrbitKit dashboard
  2. Navigate to Settings → API Keys
  3. Click the revoke button next to the key

Revocation is immediate — the key stops working on the next request.

Key rotation

To rotate a key without downtime:

  1. Create a new key in the dashboard
  2. Update your integration to use the new key
  3. Verify the new key works
  4. Revoke the old key in the dashboard

Error codes

Code HTTP Description
UNAUTHORIZED 401 Key is invalid, revoked, or malformed