Authentication
Authenticate to ORGN Gateway with API keys for programmatic access or id-orgn SSO for the console. Covers Bearer token format, key management, and security best practices.
ORGN Gateway uses two authentication surfaces, depending on how you interact with the product:
| Surface | Who uses it | Method |
|---|---|---|
| Gateway API | Applications, SDKs, CI pipelines | API key (sk-ollm-*) via Authorization: Bearer |
| Gateway console | Engineers and operators | SSO via id-orgn only |
There is no email/password login, no local accounts, and no alternative identity providers. All human access to the console flows through id-orgn.
API key authentication
All requests to the Gateway API at https://api.gateway.orgn.com/v1 require a valid API key sent as a Bearer token.
Key format
Gateway API keys use the sk-ollm- prefix:
sk-ollm-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxCreate and manage keys in the Gateway console under API Keys. Each key is shown once at creation — copy it immediately and store it in a secrets manager. Keys cannot be recovered after you leave the creation screen.
Sending the key
Include the key in the Authorization header on every request:
Authorization: Bearer sk-ollm-YOUR_API_KEY
Content-Type: application/jsonExample request
curl https://api.gateway.orgn.com/v1/models \
-H "Authorization: Bearer sk-ollm-YOUR_API_KEY"const res = await fetch("https://api.gateway.orgn.com/v1/chat/completions", {
method: "POST",
headers: {
Authorization: "Bearer sk-ollm-YOUR_API_KEY",
"Content-Type": "application/json",
},
body: JSON.stringify({
model: "phala_deepseek_r1",
messages: [{ role: "user", content: "Hello" }],
}),
});Never expose API keys in frontend code, public repositories, or client-side bundles. Gateway keys grant inference access and should live in server-side environments or secret stores only.
Key lifecycle
| Action | Where | Effect |
|---|---|---|
| Create | Console → API Keys → Generate Key | New sk-ollm-* key, shown once |
| Revoke | Console → API Keys → Delete | Key stops working immediately |
| Rotate | Create new key, update callers, revoke old | Zero-downtime if done in that order |
Revoked keys return 401 Unauthorized. There is no grace period.
Console authentication (SSO)
The Gateway console at gateway.orgn.com uses SSO-only authentication through id-orgn.
Sign in
Open gateway.orgn.com and click Sign in with Orgn SSO. You are redirected to id-orgn to complete authentication.
Session
On success, id-orgn returns you to the console with a signed session cookie. The console uses this session for all dashboard operations — API key management, model browsing, playground, and team settings.
Sign out
Sign out from the console or from id-orgn to end the session. Console sessions do not grant API access; you still need a separate sk-ollm-* key for programmatic requests.
Console SSO and API keys are independent credentials. Signing into the console does not automatically create an API key, and an API key does not grant console access.
What authentication does not cover
Authentication proves who is calling the API or accessing the console. It does not determine execution security — that depends on the model you select:
- TEE models (
near_*,phala_*) run in hardware-isolated Trust Domains and produce attestation receipts. - ZDR models (
vercel_*) run under Vercel's zero data retention agreements without hardware attestation.
Model IDs use underscores (for example near_qwen3_30b, vercel_claude_sonnet_4_6) — not slashes. See Model catalog for the full list and execution-type breakdown.
Verifying TEE requests
Attestation verification happens in scanner.orgn.com, not in the Gateway console. After sending a TEE model request, open Scanner to inspect attestation status, cryptographic signatures, and verification outcomes.
Scanner shows request metadata and attestation artifacts. It does not display prompt contents or model outputs.
See Verify a request and Verification for the full attestation workflow.
Error responses
| HTTP status | Cause | Resolution |
|---|---|---|
| 401 Unauthorized | Missing, malformed, or revoked API key | Confirm Authorization: Bearer sk-ollm-... header is present and the key is active |
| 403 Forbidden | Valid key but insufficient permissions | Check team membership and key scope in the console |
| 429 Too Many Requests | Rate limit exceeded | Back off and retry; contact support for higher limits |
What's next
- Gateway Quickstart — create a key and send your first request
- API Keys — console key management
- Security model — threat boundaries and data handling
Gateway Quickstart
Create an API key, send your first verified inference request through ORGN Gateway, and inspect attestation metadata.
Models Overview
ORGN Gateway provides TEE models with cryptographic attestation receipts and ZDR models with policy zero retention via Vercel — one API, two execution types.