API Tokens
API tokens let you authenticate against the Orchestra API programmatically — from scripts, CI jobs, or external integrations — without using your interactive login session. Each token is a long-lived bearer credential scoped to your account.
Overview
- Personal, account-scoped: every token belongs to the user who created it
- Shown once: the raw token is returned a single time at creation; only a short prefix is stored afterwards for display
- Named: give each token a human-readable name so you can tell them apart
- Revocable: delete a token at any time to immediately invalidate it
- Bearer auth: send the token as
Authorization: Bearer <token>on any API request
How It Works
- Create a token with a descriptive name. The API returns the raw token value exactly once — copy it immediately and store it somewhere safe (a secret manager).
- Use it as a bearer token on API calls, e.g. against
/api/prompts/searchor any other authenticated endpoint. - Revoke it when it is no longer needed, or if it may have leaked.
The raw token is only returned in the create response. Orchestra stores a hash plus a
short prefix (e.g. sk-abc123...) for display — it cannot show you the full value again.
If you lose it, revoke the token and create a new one.
API Reference
All endpoints require an authenticated session (or another valid token).
List Tokens
curl -X 'GET' \
'https://chat.ruska.ai/api/tokens' \
-H 'Authorization: Bearer <token>'
Returns an array of token metadata (id, name, prefix, timestamps) — never the raw values.
Create a Token
curl -X 'POST' \
'https://chat.ruska.ai/api/tokens' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \
-d '{ "name": "ci-deploy-bot" }'
Response (200 OK):
{
"token": "sk-abc123...the-full-raw-token",
"api_token": { "id": "…", "name": "ci-deploy-bot", "prefix": "sk-abc123..." }
}
The token field is the raw credential — shown only here. The api_token object is the
stored metadata you will see in subsequent list calls.
Revoke a Token
curl -X 'DELETE' \
'https://chat.ruska.ai/api/tokens/{token_id}' \
-H 'Authorization: Bearer <token>'
Returns { "status": "success" }, or 404 if the token id does not exist.
Best Practices
Create a separate, clearly-named token for each script or service. When you rotate or revoke one, the others keep working.
Never commit a raw token to source control. Inject it via environment variables or a secret manager, and revoke any token that may have been exposed.