Authentication
Authentication
All API requests must include a valid API key in the Authorization header. This page covers how to authenticate, manage keys, and handle auth errors.
Bearer token authentication
Include your API key in the Authorization header using the Bearer scheme. Requests without a valid key receive a 401 Unauthorized response.
Authorization: Bearer orca_live_xxxxxxxxxxxxxxxxAPI key format
Oceanir API keys use the format orca_<env>_<32-char-random>. Keys are hashed before storage and cannot be recovered if lost.
| Prefix | Environment |
|---|---|
orca_live_ | Production |
orca_test_ | Sandbox (no credits deducted) |
Security practices
- —Never commit API keys to version control. Use environment variables.
- —Rotate keys every 90 days or immediately if compromised.
- —Use separate keys for development, staging, and production.
- —Keys are scoped to your account. Team keys are coming soon.