Authentication

API keys (sk-app-…)#

Orux AI keys are issued from the dashboard. Each key is ~64 characters (sk-app-<prefix8>_<48 base62>) and is AES-GCM encrypted at rest. Every key has a label, an enabled flag, an optional channel-group binding (official / special / either) and an optional IP allow-list.

Reveal anytime#

Unlike services that only show the secret once, Orux AI lets you reveal the full key any time from the key list — click the eye icon on the row. The plaintext is fetched on demand over an authenticated session, never logged, never indexed.

HTTP authentication#

Pass the secret in the Authorization header as a Bearer token. We accept the OpenAI-style header on every endpoint, including async task polling and webhooks.

curl https://orux.top/api/v1/models \
  -H "Authorization: Bearer sk-app-..."

Rotating a key#

Create a new key, deploy it, then disable the old one from the dashboard. Disabled keys return 401 immediately on next call. Two keys can coexist during the cut-over — we recommend a 24 hour overlap for queued async tasks.

Isolating apps#

Create one key per environment (dev / staging / prod) or per service. Each key has its own usage timeline, so a runaway dev script never silently consumes prod budget.

IP allow-list#

Optional. Set one or more CIDR ranges per key. Requests from outside the allow-list return ip_not_allowed (403). Leave blank to accept from anywhere.

If a key leaks#

Disable it from the dashboard immediately. Audit usage in the same screen — every call shows the key prefix, source IP and model. If the leak is significant, contact hello@orux.top for a forensic export.

Per-user limits#

Concurrency is enforced at the user level — by default the same logged-in user is capped at 3 in-flight requests across all of their keys. Token / spend caps are per account. Both can be raised by an admin in the dashboard.