Node SDK overview
@orga-ai/node is the server-side half of every Orga integration. It keeps your permanent API key off the client, exchanges it for short-lived credentials, and hands those credentials to browsers or mobile apps through a route you control.
Purpose
- Security boundary – Converts
sk_orga_ai_*into ephemeral tokens so clients never see the permanent key. - Convenience wrapper – One method (
getSessionConfig()) fetches both the token and ICE server list. - Deployment-neutral – Works inside Express routes, Next.js API Routes, edge functions, or any Node 18+ runtime that exposes
fetch.
How it fits into the flow
The client then uses that response to finish WebRTC negotiation (see the WebRTC model explanation).
Why you still need it (even with serverless frontends)
- API keys don’t belong in browsers – The Orga API key grants full account access; leaking it compromises every deployment.
- Short-lived tokens improve reliability – Tokens expire quickly, so stale credentials don’t linger on compromised devices.
- Centralized policy – Your proxy can enforce auth, rate limits, or per-tenant routing before handing out credentials.
Capabilities in the box
OrgaAIclass that stores config (apiKey,timeout,debug).getSessionConfig()which wraps token + ICE requests and returns{ ephemeralToken, iceServers }.- Internal helpers (
fetchEphemeralToken,fetchIceServers) in case you need more granular control. - Optional debug logging so you can trace credential exchanges during development.
Supported environments
| Environment | Example |
|---|---|
| Express / Fastify | Traditional REST route that returns await orga.getSessionConfig(). |
| Next.js (App Router) | export async function GET() using the same class instance. |
| Edge runtimes | Works wherever fetch, WebCrypto, and AbortController exist (Node 18+, Vercel Edge, Cloudflare). |
| Serverless functions | Instantiate the client per request or reuse a singleton if the platform caches modules. |
Config expectations
| Variable | Purpose |
|---|---|
ORGA_API_KEY | Permanent credential issued in the Orga dashboard; store it in a secrets manager. |
ORGA_BASE_URL (optional) | Override for testing against non-production Orga environments. |
Next steps
- Need to see the layered diagram? Read the Node SDK architecture explanation.
- Ready to implement the route? Follow the secure backend proxy how-to or the Node tutorial.
- Looking up API signatures? Check the Node SDK reference.
Last updated on