Authentication - Origami API

The Origami API uses API keys for authentication. Each key is scoped to your organization and has access to all tables and workspaces within it.

Creating an API key

API keys follow the format:

og_live_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789abcd

The og_live_ prefix makes keys identifiable in leaked credential scans (GitHub secret scanning, GitGuardian, etc.).

Pass the key in the Authorization header as a Bearer token:

curl https://origami.chat/api/v1/tables \
  -H "Authorization: Bearer og_live_YOUR_KEY"

Every request must include this header. Requests without a valid key return 401 Unauthorized.

Multiple keys: Create as many keys as you need — one per integration is recommended.
Revocation: Revoke a key anytime from the API Keys settings page. Revoked keys return 401 immediately.
Rotation: To rotate a key, create a new one, update your integration, then revoke the old one.
Identification: The UI shows the last 4 characters of each key for identification.

Never commit API keys to source control. Use environment variables or a secrets manager.

All endpoints are rate-limited per organization. Every API key in your organization shares the same quota.

Scope	Limit
Per organization, all endpoints	100 requests / minute
Per organization, `POST /tables/{tableId}/rows`	10 requests / minute

Rate limits use a sliding window. If you hit the limit, wait for the window to reset rather than retrying immediately.

When rate-limited, the API returns 429 Too Many Requests. Every response includes headers so you can track your usage proactively:

Header	Description
`X-RateLimit-Limit`	Maximum requests allowed in the window
`X-RateLimit-Remaining`	Requests remaining in the current window
`X-RateLimit-Reset`	Unix timestamp when the window resets