Orqen Docs

API Reference

API keys

Orqen API keys authenticate agents calling /v1/chat/completionsand account API requests such as listing, creating, and revoking keys. The /v1/account/keys paths are the documented account API; the shorter /v1/keys paths are supported aliases.

Endpoints

GET/v1/account/keysList API keys for the current account. Full key secrets are never returned.
POST/v1/account/keysCreate a new API key. The secret is returned once.
PUT/v1/account/keys/{key_id}/toollistSet the tool allowlist and/or denylist for a key. Applied before pruning.
DELETE/v1/account/keys/{key_id}Revoke an API key.
GET/v1/keysShort alias for listing keys.
POST/v1/keysShort alias for creating keys.
DELETE/v1/keys/{key_id}Short alias for revoking keys.

Create a key

curl https://api.orqen.app/v1/account/keys \
  -X POST \
  -H "Authorization: Bearer sk-orq-YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "production-agent"
  }'

List keys

curl https://api.orqen.app/v1/account/keys \
  -H "Authorization: Bearer sk-orq-YOUR_KEY"

Tool allowlist and denylist

Restrict which tools can ever reach a model for a given key. The allowed_tools list acts as an allowlist — only those tool names pass through. The denied_tools list is a denylist — those names are always removed. Both are applied before pruning, giving you a hard governance boundary per key. Pass null to clear either list.

curl https://api.orqen.app/v1/account/keys/5f6d8c2a-.../toollist \
  -X PUT \
  -H "Authorization: Bearer sk-orq-YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "allowed_tools": ["get_weather", "search_docs"],
    "denied_tools": null
  }'

Revoke a key

curl https://api.orqen.app/v1/account/keys/5f6d8c2a-... \
  -X DELETE \
  -H "Authorization: Bearer sk-orq-YOUR_KEY"

Test the key

curl https://api.orqen.app/v1/usage/summary \
  -H "Authorization: Bearer sk-orq-YOUR_KEY"

Key limits

Orqen applies request-rate and saved-token limits from your account policy. New keys inherit those settings automatically, so key creation only needs a name.