The api_key is returned once. Store it immediately in a secret manager.
cURL
curl -sS https://api.orgs.sh/v1/accounts \
  -H "content-type: application/json" \
  -d '{"email":"operator@example.com"}'

{
  "id": "7f9d5ad9-5f0d-42c3-8f64-0dd1a2cbf641",
  "email": "operator@example.com",
  "api_key": "f4d9c7de-3dbd-45fa-9251-1f0cc6c4bb3b"
}
POST
/
v1
/
accounts
cURL
curl -sS https://api.orgs.sh/v1/accounts \
  -H "content-type: application/json" \
  -d '{"email":"operator@example.com"}'

{
  "id": "7f9d5ad9-5f0d-42c3-8f64-0dd1a2cbf641",
  "email": "operator@example.com",
  "api_key": "f4d9c7de-3dbd-45fa-9251-1f0cc6c4bb3b"
}

Request body

email
string
required
Email address for the account owner or operational agent boundary.

Response fields

id
string
required
Internal account UUID.
email
string
required
Email address stored for the account.
api_key
string
required
Raw bearer API key. The server stores only a BLAKE3 hash.

Operational guidance

1

Create one boundary per environment

Use separate credentials for local development, CI, production operators, and autonomous agents.
2

Store the key

Put the returned key in the runtime secret manager. Do not store it in prompts, logs, or long-term memory.
3

Rotate on exposure

Rotate credentials after host compromise, accidental logging, prompt leakage, or agent runtime replacement.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json
email
string<email>
required
Example:

"operator@example.com"

Response

Account created.

id
string<uuid>
required
email
string<email>
required
api_key
string
required

Raw API key. Returned once.