Creating an API key
- Go to Settings → API keys in the Origami app
- Click Create API key
- Give it a descriptive name (e.g. “n8n integration”, “CRM sync”)
- Copy the key immediately — it’s shown only once
og_live_ prefix makes keys identifiable in leaked-credential scans (GitHub
secret scanning, GitGuardian, etc.).
Using your API key
Pass the key in theAuthorization header as a Bearer token:
401 UNAUTHORIZED. Organizations whose plan doesn’t include API access return
402 with code: "SUBSCRIPTION_REQUIRED" — upgrade to a plan with API access.
Projects and the x-origami-project header
Because keys are parent-wide, you choose which org a request acts on with thex-origami-project header:
- Omit it to act on the parent org.
- Send
x-origami-project: <projectId>to scope the request to that project (a child org). All org-scoped resources — workspaces, tables, agents, outreach — then operate inside the project.
/projects/* always manages projects from the
parent, and /account is always parent-scoped.
The header fails closed. A malformed id returns 400 VALIDATION_ERROR; an
unknown, cross-parent, or deleted project returns 404 PROJECT_NOT_FOUND. The
plan gate and rate limits stay keyed to the parent, and the concurrent-agent pool
is shared across the whole parent. Credits spent inside a project draw on the
parent’s shared wallet, subject to the project’s optional monthlyCredits budget
cap.
Manage projects with the Projects endpoints.
See objects and relationships
for how tenancy fits together.
Key management
- Multiple keys: Create as many keys as you need — one per integration is recommended.
- Revocation: Revoke a key anytime from the API keys settings page. Revoked
keys return
401immediately. - Rotation: To rotate a key, create a new one, update your integration, then revoke the old one.
- Identification: The UI shows the last 4 characters of each key.
Security best practices
- Store keys in environment variables (
ORIGAMI_API_KEY) or a secrets manager - Use separate keys for development and production
- Revoke keys immediately if they may have been exposed
- Review the API keys settings page periodically and remove unused keys
Rate limits
Limits apply per client IP and per organization. Both stay keyed to the parent org, even when a request is scoped to a project.| Scope | Limit |
|---|---|
| Per client IP | 300 requests / minute |
| Per organization | 100 requests / minute |
| Concurrent agent runs (per organization) | Plan-tunable (1 on starter, 3 on pro, 10 on scale, 20 on ultra, unlimited on enterprise) |
429 with code: "CONCURRENT_LIMIT_EXCEEDED" and a Retry-After
header.
When rate-limited, the API returns 429 Too Many Requests. Responses carry
usage headers so you can track quota proactively:
| Header | Description |
|---|---|
X-RateLimit-Limit-IP | Maximum requests allowed in the per-IP window |
X-RateLimit-Remaining-IP | Requests remaining in the current per-IP window |
X-RateLimit-Reset-IP | When the per-IP window resets |
X-RateLimit-Limit-Global | Maximum requests allowed in the per-org window |
X-RateLimit-Remaining-Global | Requests remaining in the current per-org window |
X-RateLimit-Reset-Global | When the per-org window resets |
Rate limits use a sliding window. If you hit the limit, honor
Retry-After
rather than retrying immediately.