Skip to main content
The AI Gateway also has its own API keys with optional cost, token, and rate limits. See AI Gateway API Keys.

What are API Keys

API Keys are secure tokens used to authenticate requests to Orq.ai. Each key is scoped to a single project and carries a set of permissions that control what it can do. Two key types are available, chosen by the key’s owner.

User keys

Tied to a specific user account and project. Automatically revoked if the user is removed from the organization or project. Use user keys for personal use and local development.

Service account keys

Not tied to any individual user, with a lifecycle independent of user membership. Only workspace admins can create service account keys. Use service account keys for production systems, so access does not break when a team member leaves.

Viewing API Keys

Navigate to Organization > API Keys to see all keys across projects. The table shows the following columns:
ColumnDescription
CreatedDate the key was created
NameKey label
TypeUser or Service
StatusActive, Disabled, or Revoked
PermissionsAll, Read only, or Restricted
Created byUser who created the key
Use the menu to filter by Type or Permissions.

Creating an API Key

1

Open the creation panel

Navigate to Organization > API Keys and select Create API key.
Create API key panel showing fields for owner, name, project, permissions, and expiration.
2

Choose an owner

Select You to create a User key, or Service account to create a key not tied to any individual user.
3

Set name and project

Enter a Name for the key and select the Project it will have access to.
4

Set permissions

Choose a permission preset. See Permissions below.
5

Set expiration (optional)

Set an Expiration date if the key should automatically become inactive after a certain date.
6

Create and copy the key

Select Create API key. A Save your key dialog appears showing the token and its permissions summary.
Save your key dialog showing the API key token with a Copy button and a Permissions summary reading Read and write API resources.
Click Copy to copy the token.
The token is only shown once. Store it securely before closing this dialog. It cannot be retrieved afterwards.

Permissions

PresetDescription
AllRead and write access to all API resources
Read onlyRead access to all API resources
RestrictedCustom per-resource access
With Restricted, set the permission for each resource individually: None, Read, or Write.
Write permission automatically includes Read where Read is available for the endpoint.
Resource None Read Write
Agent schedules
Agents
Annotations
Chunking
Datasets
Deployments
Evaluators
Feedback
Files
Guardrail rules
Human evaluations
Identities
Knowledge bases
Memory stores
Policies
Projects
Prompts
Reporting
Routing rules
Skills
Tools
Gateway
Chat completions
Embeddings
Images
Models
Moderations
OCR
Rerank
Responses
Speech
Transcriptions

Managing Keys

API Keys management table listing keys with columns for name, type, status, permissions, and created by.
Select the menu on any key to access the following actions:
  • Edit: update the name, permissions, or expiration date. The owner type cannot be changed after creation.
  • Duplicate: opens the creation panel pre-filled with the key’s current settings.
  • Delete: permanently removes the key. This cannot be undone.
A Revoked status means the key belonged to a user who was removed from the organization or project, or it has been revoked manually. Revocation is permanent.
Legacy API keys remain functional but cannot be transferred to the new format. To use granular per-resource permissions, create a new key and replace the legacy one.