API Keys
Create, manage, and rotate sk-ollm-* API keys in the Gateway console. Keys authenticate Bearer requests to api.gateway.orgn.com.
API keys are the credential for programmatic access to ORGN Gateway. Every request to https://api.gateway.orgn.com/v1 must include a valid key in the Authorization: Bearer header.
Keys are created and managed in the Gateway console under API Keys. Console access itself requires id-orgn SSO — API keys and console sessions are separate credentials.
Key format
Gateway API keys use the sk-ollm- prefix:
sk-ollm-a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6The prefix identifies the key as an ORGN Gateway credential. Treat the full string as a secret — it grants inference access against your team's balance.
Creating a key
Open API Keys
Sign in to gateway.orgn.com with id-orgn and navigate to API Keys.
Generate
Click Generate Key and enter a descriptive name (for example production-backend, ci-pipeline, local-dev).
Copy immediately
The full sk-ollm-* value is displayed once. Copy it to a secrets manager before closing the dialog.
Keys cannot be recovered after creation. If you lose a key, revoke it and generate a new one.
Using a key
Send the key on every API request:
Authorization: Bearer sk-ollm-YOUR_API_KEY
Content-Type: application/jsonList models
curl https://api.gateway.orgn.com/v1/models \
-H "Authorization: Bearer sk-ollm-YOUR_API_KEY"Chat completion
curl -X POST https://api.gateway.orgn.com/v1/chat/completions \
-H "Authorization: Bearer sk-ollm-YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model": "near_qwen3_30b",
"messages": [
{ "role": "user", "content": "Hello" }
]
}'Model IDs use underscores (near_qwen3_30b, phala_deepseek_r1, vercel_claude_sonnet_4_6) — not slashes.
Managing keys
| Action | Steps | Effect |
|---|---|---|
| View active keys | API Keys page | See key names and creation dates — not the secret values |
| Revoke | Click delete on a key | Key stops working immediately; returns 401 |
| Rotate | Create new key → update all callers → revoke old key | Zero-downtime rotation |
Rotation procedure
- Generate a new key with a distinct name (for example
production-backend-v2). - Update environment variables, secret stores, and CI configurations to use the new key.
- Confirm production traffic succeeds with the new key.
- Revoke the old key.
Never revoke the only active key before callers are updated.
Security practices
- Server-side only — never embed keys in frontend code, mobile apps, or public repositories.
- One key per environment — separate keys for development, staging, and production simplify rotation and incident response.
- Least privilege — use team roles in the console to limit who can create or revoke keys.
- Monitor usage — unexpected spikes in token consumption may indicate a leaked key.
API key authentication proves identity. It does not change execution security — the model you select determines whether inference runs in a TEE (with attestation) or under ZDR (policy-enforced retention).
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| 401 Unauthorized | Missing header, wrong prefix, or revoked key | Confirm Authorization: Bearer sk-ollm-... and key is active |
| 403 Forbidden | Key valid but team lacks access | Check team membership and billing status |
| Key not visible after creation | Keys are write-once | Revoke and generate a new key |
What's next
- Authentication — full auth model for API and console
- Gateway Quickstart — first request walkthrough
- Playground — test models without writing code
Gateway Console
Manage API keys, browse models, test inference in the Playground, and configure team access from the ORGN Gateway console at gateway.orgn.com.
Team Management
Create and manage teams in the Gateway console to share billing, invite collaborators, and control access with role-based permissions.