Keys & environments
Environment-bound API keys, scopes, and double-gated text access.
Tenancy lives in the credential
API keys are minted bound to one environment — every org gets the fixed
production/testing pair. orecloud.Client() reads the key and binds
itself to that environment — the same code serves testing and production by
swapping the key. Nothing about tenancy is hardcoded in application code:
client = orecloud.Client() # org + environment come from ORECLOUD_TOKENKey kinds
- Secret keys (
ore_sk_…) — server-side use. Scopes chosen at mint. - Publishable keys (
ore_pk_…) — safe for lower-trust surfaces: can rank results but can never read stored text. - Personal tokens — your own login (via
orecloud login), unscoped to an environment; passorg=/environment=explicitly.
Mint and revoke via the console, or:
orecloud tokens mint --kind secret --scope write --scope read:search
orecloud tokens list
orecloud tokens revoke <token-id>The secret is shown once at mint.
Text access is double-gated
Reading stored text back (get, context_block, include_text=True)
requires both:
- the key to carry the
read:textscope, and - the store to have its
expose_textflag on (off by default).
A key alone is never enough — the store owner's flag has to agree. This is enforced server-side, not a client convention. Telemetry and audit logs are metrics-only: counts, ids, latency — never document text, queries, or embeddings.