Skip to main content

Secure access

Planetary Orbit APIs rely on API keys scoped to a workspace. Keys belong to a human user and inherit their role permissions.
Never embed API keys in publicly accessible code or client-side bundles. If a key is compromised, rotate it immediately in Workspace → Public API.

Key lifecycle

  1. Open Workspace → Settings → Public API.
  2. Click Create key, give it a descriptive name (e.g., integration-gateway).
  3. Copy the key once—you won’t see it again. Store it in your secrets manager (GitHub Secrets, AWS Secrets Manager, etc.).
  4. Rotate regularly: create a replacement key, update your deployments, then delete the old one.
Keep one key per integration. This makes audits easier and lets you revoke access without disrupting unrelated systems.

Calling the API

All requests must include the Authorization header with a bearer token. 
Authorization: Bearer orbit_E4d9a3a21f97f4f9a11b4d0f5b18c9b1

GET https://api.planetaryapp.us/v1/workspace/14144149/info
Authorization: Bearer orbit_your_api_key

Multi-factor authentication (MFA)

Admins should enable MFA via Workspace → Security to protect the key creation flow and prevent unauthorized API key leakage.

Troubleshooting

  • 401 Unauthorized? Verify the header is spelled Authorization (capital A) and the key starts with orbit_.
  • 429 Too Many Requests? Back off for one minute or cache results—quota resets every 60 seconds per key.