Getting Started

Authentication

Orqen uses two types of keys: an Orqen API key (authenticates your agent to the Orqen proxy) and provider API keys (used to call your LLM provider). They serve different purposes.

Orqen API keys

Every request to https://api.orqen.app/v1 must include an Orqen API key in the Authorization header:

Authorization: Bearer sk-orq-a1b2c3d4e5f6...

Orqen keys have the format sk-orq- followed by 64 hex characters. They are SHA-256 hashed before storage — the plaintext key is shown once at creation and never stored or displayed again.

Key properties

Formatsk-orq-{64 hex chars}

StorageSHA-256 hash only — plaintext never persisted

Rate limit60 req/min by default (configurable per key)

ScopeAccess all endpoints for your account

Creating API keys

Create keys in the dashboard under API Keys, or via the API:

import httpx

response = httpx.post(
    "https://api.orqen.app/v1/account/keys",
    headers={"Authorization": "Bearer sk-orq-YOUR_KEY"},
    json={
        "name": "production-agent",
        "rate_limit_rpm": 60,          # optional, default 60
        "k_target_override": None,     # optional, default 5-8 tools
    },
)
data = response.json()
print(data["key"])   # shown once — store it securely

Provider API keys

Orqen forwards your requests to OpenAI, Anthropic, Bedrock, or other providers using your own credentials. There are two ways to provide these:

Option 1: Store in the dashboard (recommended)

Go to Providers in the dashboard and add your keys once. Orqen encrypts them with AES-128 (Fernet) before storing. On each request, the key for the relevant provider is decrypted in memory and injected into the upstream call.

This is the cleanest option — your agent code never needs to know which provider credentials are in use. Orqen detects the provider from the model field (e.g. gpt-4o → OpenAI, groq/llama-3.3-70b-versatile → Groq).

Option 2: Pass per-request

Provider credentials can also be passed as extra fields in the request body. Orqen reads them and injects them into the upstream call. They are not stored.

client.chat.completions.create(
    model="bedrock/us.anthropic.claude-haiku-4-5-20251001-v1:0",
    messages=[...],
    tools=[...],
    # AWS IAM credentials (used only for this request)
    aws_access_key_id="AKIA...",
    aws_secret_access_key="...",
    aws_region_name="us-east-1",
)

Security note

When passing credentials per-request, they travel over TLS to Orqen's servers and are used immediately. Storing them in the dashboard (option 1) avoids embedding credentials in your agent code or CI environment.

Auth errors

Status	Meaning	Fix
401	Missing or invalid Orqen API key	Check the Authorization header format
401 (expired)	API key has passed its expiry date	Create a new key in the dashboard
403	Account is inactive	Contact support@orqen.app
429	Rate limit exceeded	Slow down or raise the limit in API Keys settings
503	Auth service temporarily unavailable	Retry after 30 seconds — see Retry-After header

API Keys reference →Providers reference →