Authentication
How to authenticate with the Oru-el API using API keys and bearer tokens.
Authentication#
All Oru-el API requests (except the public model catalog) require authentication. Oru-el supports two authentication methods: API keys for programmatic access and JWT tokens for browser sessions.
API keys#
API keys are the primary way to authenticate with the Oru-el API. They are long-lived credentials designed for server-to-server and SDK usage.
Key format#
API keys start with the oruel_ prefix followed by 48 hexadecimal characters:
oruel_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6
Creating an API key#
- Log in to the Oru-el dashboard
- Navigate to Settings > API Keys
- Click Create API Key
- Enter a descriptive name (e.g., "production-backend", "dev-local")
- Copy the key immediately — it is only shown once
Using your API key#
Include your API key in the Authorization header as a Bearer token:
Authorization: Bearer oruel_your_api_key_here
Python#
from openai import OpenAI
client = OpenAI(
base_url="https://api.oru-el.com/v1/inference",
api_key="oruel_your_api_key_here",
)
JavaScript#
import OpenAI from "openai";
const client = new OpenAI({
baseURL: "https://api.oru-el.com/v1/inference",
apiKey: "oruel_your_api_key_here",
});
cURL#
curl https://api.oru-el.com/v1/inference/chat/completions \
-H "Authorization: Bearer oruel_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{"model": "llama-4-maverick", "messages": [{"role": "user", "content": "Hello"}]}'
Scopes#
API keys are issued with a scope that controls what operations they can perform:
| Scope | Permissions |
|---|---|
FULL_ACCESS | All operations — inference, compute, settings, billing |
SUBMIT_JOBS | Inference API calls and GPU job submission |
User-created API keys default to FULL_ACCESS. Both FULL_ACCESS and SUBMIT_JOBS scopes allow inference API usage.
Managing API keys#
From Settings > API Keys you can:
- View all your active keys (names, creation dates, last used)
- Delete keys you no longer need — deletion is immediate and irreversible
- Create new keys at any time
There is no limit on the number of API keys you can create.
JWT tokens (browser sessions)#
When you log in to the Oru-el dashboard, you receive a short-lived JWT access token. This is used automatically by the dashboard and playground — you don't need to manage JWTs manually.
JWT tokens carry the same user identity and permissions as API keys. If you're building a custom frontend that talks to the Oru-el API, use API keys instead.
Security best practices#
Use environment variables#
Never hardcode API keys in your source code. Store them in environment variables:
# .env file (add to .gitignore)
ORUEL_API_KEY=oruel_your_api_key_here
import os
from openai import OpenAI
client = OpenAI(
base_url="https://api.oru-el.com/v1/inference",
api_key=os.environ["ORUEL_API_KEY"],
)
Never commit keys to version control#
Add your .env file to .gitignore:
# .gitignore
.env
.env.local
.env.*.local
If you accidentally commit a key, delete it immediately from the Oru-el dashboard and create a new one.
Rotate keys regularly#
For production systems, rotate API keys periodically:
- Create a new key
- Update your application to use the new key
- Verify the new key works
- Delete the old key
Use separate keys per environment#
Create separate API keys for development, staging, and production. This makes it easy to revoke access to a single environment without affecting others.
Client-side applications#
Never expose API keys in client-side code (browser JavaScript, mobile apps). API calls should be made from your backend server. If you need to make calls from a client, route them through your own backend API.
Error responses#
Authentication failures return standard error responses:
Missing or invalid token#
{
"error": {
"code": "UNAUTHORIZED",
"message": "Authentication required"
}
}
HTTP status: 401 Unauthorized
Insufficient scope#
{
"error": {
"code": "FORBIDDEN",
"message": "API key lacks required scope (SUBMIT_JOBS, FULL_ACCESS)"
}
}
HTTP status: 403 Forbidden