Skip to main content
Every request to the Orchestra API requires authentication via an API key. This page explains how to create, manage, and secure your API keys.

Create an API Key

1

Open API Key Settings

In the Orchestra portal, click your username in the top-right corner, then select API Keys.
2

Create New Key

Click Create to generate a new key.
3

Configure the Key

FieldDescription
NameA descriptive label (e.g., “Production Server”, “Development”, “CI/CD”)
UserOptionally restrict this key to a specific user’s payment accounts
4

Save and Copy

Click Save. The portal displays your new API key.
Copy the key immediately. You won’t be able to see it again. If you lose it, you’ll need to create a new one.

Using Your API Key

Include the API key in the X-Api-Key header of every request: 
curl -X POST https://api.orchestrasolutions.com/PaymentGateway/charge \
  -H "Content-Type: application/json" \
  -H "X-Api-Key: your_api_key_here" \
  -d '{ ... }'

User Assignment

When you assign an API key to a specific user:
  • The key can only access Payment Gateway Accounts assigned to that user
  • Transactions are logged under that user’s activity
  • Useful for multi-tenant setups or restricting access
If you don’t assign a user, the key has access to all Payment Gateway Accounts in your organization.

Security Best Practices

Never expose keys in client code

API keys should only exist on your server. Never include them in frontend JavaScript, mobile apps, or public repositories.

Use environment variables

Store keys in environment variables, not in code. Use secrets managers in production.

Rotate keys periodically

Create new keys and deprecate old ones on a regular schedule, especially if you suspect exposure.

Use separate keys per environment

Create distinct keys for development, staging, and production. Revoke dev keys if compromised without affecting production.

Rotating Keys

To rotate an API key:
  1. Create a new key
  2. Update your application to use the new key
  3. Verify the new key works in production
  4. Delete the old key
There’s no downtime during rotation—both keys work until you delete the old one.

Revoking Keys

To revoke a compromised or unused key:
  1. Go to API Keys in the portal
  2. Find the key by name
  3. Click Delete or Revoke
The key stops working immediately.

Choose Your Integration Path

You’re ready to accept payments. Choose how you want to integrate:

Payments Library

Recommended for most integrationsPre-built payment UI with Google Pay, Apple Pay, and card entry. Handles 3D Secure automatically. Keeps you out of PCI scope.

REST API

For custom payment flowsDirect HTTP calls from your backend. Full control over UI. Use when you have existing payment infrastructure or need maximum flexibility.
Not sure which to choose? See the detailed comparison.