Orbit Logo
Orbit App

Authentication in Orbit

Authentication ensures that only authorized users and systems can access the Orbit App and Platform API.
Orbit supports multiple authentication methods depending on your use case:

  • App Users: Email/password login, or single sign-on (SSO) via OAuth providers (Google, Microsoft, etc.).
  • Partner Integrations: External JWT authentication for trusted business units and third-party systems.
  • Programmatic Access: API key authentication for service-to-service calls.

User Authentication (App Login)

  • Email & Password: Users can sign up or log in directly with their credentials.
  • SSO via OAuth2: Organizations may enable Google, Microsoft, or other identity providers.
  • Session Tokens: Once logged in, users receive a signed JWT stored in session cookies.

Partner Authentication (External JWT)

Trusted partners can authenticate users programmatically by POSTing a signed request to /jwt. Orbit validates the request, creates any missing org/account/user records, and issues a session JWT.

  • Required Fields:

    • platform
    • org_id
    • account_id
    • user_id
    • email
    • name
    • roles

  • Headers: Must include a valid x-api-key (assigned per partner app).

  • JWTs: Signed by Orbit, valid for 1 hour.

  • Scope: Only organization, account, and user-level entities may authenticate via JWT.

  • Logging: All login attempts are logged and rate-limited.

API Key Authentication

For direct API integrations (e.g., automation, scripts, or backend services), you can authenticate requests using an API key.

  • Include the key in the x-api-key header.
  • Keys are managed in the Orbit Admin Console under Integrations → API Keys.
  • Keys can be scoped to an organization or account.

Security Notes

  • JWTs expire after 1 hour and must be refreshed.
  • API keys should be rotated regularly and stored securely (e.g., in a secret manager).
  • Failed or suspicious authentication attempts are logged and may be rate-limited.
  • All authentication methods use TLS for transport security.

Roadmap

  • Refresh Tokens: Planned for persistent sessions.
  • Granular Role-Based Access Control (RBAC): Coming soon to allow more fine-grained API permissions.
  • Expanded OAuth Providers: Additional identity provider support.

Last updated on

Chats

Learn how to start conversations with Agents in Orbit Flow, upload files, and connect chats to dashboards.

FAQ

Common questions and answers about using the Orbit App and Platform.