API Keys & Authentication
Beta
API keys authenticate your requests to the Orvion API. They are scoped to an organization and control what you can do.
Creating API Keys
Create API keys via:
- Dashboard: Settings → API Keys → Create
- API: (Coming soon)
When creating a key:
- Name the key: Give it a descriptive name
- Set permissions: Choose what the key can do
- Copy the key: Save it immediately (it won't be shown again)
- Store securely: Keep it in a secure location
Using API Keys
Include your API key in the Authorization header:
import requestsheaders = {"Authorization": "Bearer your-api-key-here","Content-Type": "application/json"}response = requests.get("http://localhost:8000/api/v1/invoices", headers=headers)
Key Security
Best Practices
- Never commit keys: Don't commit keys to version control
- Use environment variables: Store keys in environment variables
- Rotate regularly: Rotate keys periodically
- Limit permissions: Use keys with minimal required permissions
- Monitor usage: Monitor key usage for anomalies
Key Rotation
Rotate keys regularly:
- Create new key: Generate a new key
- Update application: Update your app to use the new key
- Verify: Test that the new key works
- Revoke old key: Delete or revoke the old key
Key Scoping
API keys are scoped to:
- Organization: Keys belong to a specific organization
- Permissions: Keys can have limited permissions
- Environment: Keys are environment-specific (sandbox/production)
Error Responses
401 Unauthorized
- Invalid key: Key doesn't exist or is revoked
- Wrong environment: Key is for a different environment
- Missing header: Authorization header is missing
403 Forbidden
- Insufficient permissions: Key doesn't have required permissions
- Organization mismatch: Key belongs to a different organization
Related Documentation
- Environments - Sandbox vs production
- Quickstart - Getting started guide