Authentication

The Orga API uses bearer token authentication for all requests.
There are two types of tokens depending on where you’re making the call:

• Server API Keys – permanent credentials used only from your backend.
• Ephemeral Tokens – short-lived JSON Web Tokens (JWTs) issued by your backend to clients.

This dual-layer model prevents permanent credentials from ever touching end-user devices.

1. Get Your API Key

You can create and manage your API keys from the Orga AI Developer Platform .

1. Log in or create an account.
2. Navigate to API Keys in your dashboard.
3. Create a new key and copy its value.

Keys are prefixed with: sk_orga_ai_

2. Exchange Your API Key for an Ephemeral Token

Clients never use your API key directly.
Instead, your server exchanges it for a short-lived ephemeral token, which grants temporary access to WebRTC session APIs.

• Endpoint: POST /v1/realtime/client-secrets
• Auth header: Authorization: Bearer sk_orga_ai_...
• Issue source: Server only
• Response: A JSON object containing an ephemeral JWT

This ephemeral token is valid for a short time window (TTL configured by Orga’s backend, typically under a few minutes).

Example Request

curl https://api.orga-ai.com/v1/realtime/client-secrets \
  -H "Authorization: Bearer sk_orga_a_your_api_key_here" \
  -H "Content-Type: application/json" \

Example Response

{
  "ephemeral_token": "your_ephemeral_token_here"
}

3. Using Tokens Across the API

Once your server issues the ephemeral token, your app uses it to interact with other Orga API endpoints:

4. Example Full Flow

5. Summary

📘 Remember:

• Generate permanent keys in your Orga Platform Dashboard
  
• Exchange them for ephemeral tokens via /v1/realtime/client-secrets
  
• Use ephemeral tokens with /v1/realtime/calls and /v1/realtime/ice-config