Skip to main content

API Keys

Orwel uses API keys to authenticate requests. Your API keys carry many privileges, so be sure to keep them secure!

Key Types

Orwel provides two types of API keys per workspace:

Production Keys

Use in production environments
  • 1000 requests per minute
  • Full access to workspace data
  • Tracked separately for monitoring

Development Keys

Use for testing and development
  • 100 requests per minute
  • Full access to workspace data
  • Safe for local development

Authentication Methods

You can authenticate requests using either of these methods: Include your API key in the Authorization header: 
Authorization: Bearer YOUR_API_KEY

curl -X GET "https://api.orwel.io/api/v1/leads" \
  -H "Authorization: Bearer orw_prod_abc123..."

Custom Header

Alternatively, use the x-api-key header: 
x-api-key: YOUR_API_KEY

curl -X GET "https://api.orwel.io/api/v1/leads" \
  -H "x-api-key: orw_prod_abc123..."

Managing API Keys

Generating Keys

1

Access Settings

Navigate to your workspace settings in the Orwel dashboard
2

Go to API Keys

Click on the “API Keys” section
3

Generate New Key

Choose between Production or Development key
4

Copy and Store

Copy the key immediately - it won’t be shown again

Key Rotation

We recommend rotating your API keys regularly:
When you rotate a key, the old key is immediately invalidated. Update all applications using the old key before rotating.
  1. Generate a new API key
  2. Update all applications to use the new key
  3. Monitor for any failed requests
  4. Delete the old key once migration is complete

Security Best Practices

API keys should only be used in server-side code. Never include them in:
  • Frontend JavaScript
  • Mobile app code
  • Public repositories
  • Client-side configuration files
Store API keys in environment variables, not in your code:
# .env
ORWEL_API_KEY=orw_prod_abc123...

const apiKey = process.env.ORWEL_API_KEY;
Rotate your API keys every 90 days or immediately if you suspect a key has been compromised.
Regularly review your API key usage in the dashboard. Look for:
  • Unexpected traffic patterns
  • Failed authentication attempts
  • Unusual geographic locations

Key Tracking

Every API key tracks its last usage:
  • Production Key: prod_last_use timestamp
  • Development Key: dev_last_use timestamp
You can view this information in your workspace settings to monitor key activity.

Authentication Errors

401 Unauthorized

Returned when the API key is invalid or missing: 
{
  "error": "unauthorized",
  "message": "Invalid or missing API key"
}
Common causes:
  • Missing Authorization or x-api-key header
  • Invalid or expired API key
  • Typo in the API key

403 Forbidden

Returned when you don’t have access to the requested resource: 
{
  "error": "forbidden",
  "message": "Access denied to requested resource"
}
Common causes:
  • Trying to access another workspace’s data
  • Resource doesn’t exist in your workspace

Testing Authentication

Test your API key with this simple request: 
curl -X GET "https://api.orwel.io/api/v1/users" \
  -H "Authorization: Bearer YOUR_API_KEY"

Next Steps

Rate Limiting

Learn about rate limits for your API keys

API Reference

Start making API calls