Skip to main content
All Orchata API endpoints require authentication. We support two authentication methods: API Keys for programmatic access and Session Auth for the web dashboard.

API Key Authentication

API keys are the recommended way to authenticate with the Orchata API. They’re perfect for:
  • Server-side applications
  • CI/CD pipelines
  • AI agents and MCP integrations
  • Any programmatic access

Creating an API Key

1

Go to Settings

Navigate to API Keys in the Orchata dashboard.
2

Create API Key

Click Create API Key and enter a descriptive name.
3

Copy Your Key

Copy the API key immediately - you won’t see it again.
API keys are shown only once. Store them securely in environment variables or a secrets manager.

Using Your API Key

Include your API key in the Oai-Api-Key header: 
curl -X GET https://api.orchata.ai/spaces \
  -H "Oai-Api-Key: your-api-key"
You can also use the Authorization: Bearer your-api-key header if you prefer standard Bearer token auth.

API Key Properties

PropertyDescription
idUnique identifier
nameHuman-readable name for identification
prefixFirst few characters (e.g., abc...) for identification
expiresAtOptional expiration date
permissionsGranular access control

Tier-Specific Constraints

API key capabilities vary by pricing tier. Your tier determines how many keys you can create, expiration requirements, and permission options.
ConstraintSandboxDeveloperPro
Max API Keys110Unlimited
Expiry RequiredYes (30 days)NoNo
Max Expiry Days30 (enforced)UnlimitedUnlimited
Rate LimitingRequired (max 100/day)OptionalOptional
Custom PermissionsNoNoYes
Sandbox Tier:
  • Only 1 API key allowed
  • Expiry is mandatory and set to exactly 30 days
  • Rate limiting cannot be disabled (max 100 requests per day)
Developer Tier:
  • Up to 10 API keys
  • Expiry is optional
  • Rate limiting is configurable
  • Standard permission levels only
Pro Tier:
  • Unlimited API keys
  • Expiry is optional
  • Rate limiting is configurable
  • Custom permission sets - Create fine-grained permission configurations beyond standard levels
Need more API keys or custom permissions? View plans to upgrade your tier.

Expiration

API keys can be set to expire after a specific date. This is useful for:
  • Temporary access for contractors
  • Rotating keys on a schedule
  • Time-limited integrations
{
  "name": "CI/CD Pipeline",
  "expiresAt": "2024-12-31T23:59:59Z"
}
For production applications, consider rotating API keys periodically as a security best practice.

Permissions

API keys can have granular permissions to limit their access. Permissions are organized by resource type.

Available Permissions

PermissionDescription
spaces:readList and view spaces
spaces:writeCreate and update spaces
spaces:deleteArchive/delete spaces
PermissionDescription
documents:readList and view documents
documents:writeUpload and update documents
documents:deleteDelete documents
PermissionDescription
queries:readExecute queries
PermissionDescription
apikeys:readList API keys
apikeys:writeCreate API keys
apikeys:deleteDelete API keys

Principle of Least Privilege

Always grant the minimum permissions required. An API key for querying doesn’t need write access.
Example: A read-only key for an AI agent: 
{
  "name": "AI Agent - Read Only",
  "permissions": ["spaces:read", "documents:read", "queries:read"]
}

Session Authentication

The Orchata web dashboard uses session-based authentication. This is handled automatically when you log in. Session auth is also available for the MCP server when accessed through OAuth-enabled clients.

Error Responses

Authentication errors return standard HTTP status codes:
StatusErrorDescription
401UnauthorizedMissing or invalid API key
403ForbiddenValid key but insufficient permissions
{
  "error": "Unauthorized",
  "message": "Invalid API key"
}

Security Best Practices

Use Environment Variables

Never hardcode API keys in source code.

Rotate Regularly

Change API keys periodically, especially after team changes.

Limit Permissions

Grant only the permissions each key needs.

Set Expiration

Use expiring keys for temporary access.

Next Steps

MCP Server

Connect AI assistants to Orchata.

API Reference

Explore all available endpoints.