Orgs supports three authentication schemes, each appropriate for different contexts.
API Keys
For human-driven scripts and long-lived automation.
- Generated from the console under Settings → API Keys
- Prefixed
sk_live_ (production) or sk_test_ (staging)
- Sent as the
Authorization: Bearer ... header
- Can be scoped per-entity, or cover your entire account
curl https://api.orgs.sh/v1/entities \
-H "Authorization: Bearer sk_live_..."
API keys grant broad access. Store them in a secrets manager (not .env files checked into git). Rotate quarterly.
OAS DIDs
For cryptographic signing and offline-verifiable proofs.
A DID (did:oas:wy:llc:0001423) is a W3C-compatible decentralized identifier anchored to an Ed25519 public key. The private key signs actions; anyone can verify signatures offline.
Use DIDs when:
- Voting on proposals (proofs are embedded in the vote record)
- Signing executable transactions
- Establishing cross-platform identity
Arsenal Capability Tokens (ACTs)
For autonomous agents.
An ACT is a short-lived, scoped credential that grants specific permissions to a specific agent for a specific entity within a specific time window.
{
"agent": "did:oas:agent:helios.core",
"entity": "did:oas:wy:llc:0001423",
"scope": ["proposal.create", "proposal.vote"],
"expires": "2026-04-12T18:22:00Z",
"rotation": "1h"
}
| Use Case | Credential |
|---|
| One-off script | API key |
| Long-running agent on a single entity | API key scoped to that entity |
| Agent inside Aut0 runtime | ACT (auto-issued) |
| Cross-entity agent (orchestrator) | ACT per-entity, issued by orchestrator’s key |
| Human signing a proposal | DID |
