Credentials

Orchka provides a secure credential management system for storing and using API keys, tokens, and authentication details in your workflows.

Overview

Instead of hardcoding sensitive values in your workflow nodes, you can:

  1. Store credentials securely with AES-256-GCM encryption
  2. Reference credentials by ID in your nodes
  3. Credentials are decrypted only during workflow execution

Credential Types

TypeFieldsUse Case
API KeyapiKeyGeneric API authentication
Basic Authusername, passwordHTTP Basic authentication
Bearer TokentokenOAuth/JWT bearer tokens
OAuth2clientId, clientSecret, accessToken, refreshTokenOAuth2 flows
OpenAIapiKey, organization (optional)OpenAI API
AnthropicapiKeyAnthropic Claude API
Google AIapiKeyGoogle Gemini API
XaccessToken, refreshToken (optional)Publish X posts
LinkedInaccessToken, refreshToken (optional)Publish LinkedIn posts
Facebook PagepageAccessTokenPublish Facebook Page posts
InstagramaccessToken, refreshToken (optional)Publish Instagram media
ThreadsaccessToken, refreshToken (optional)Publish Threads posts
TikTokaccessToken, refreshToken (optional)TikTok integrations
YouTubeaccessToken, refreshToken (optional)YouTube integrations
PinterestaccessToken, refreshToken (optional)Create Pinterest pins
RedditaccessToken, refreshToken (optional)Submit Reddit posts
Blueskyidentifier, password, serviceUrl (optional)Publish Bluesky posts
MastodoninstanceUrl, accessTokenPublish Mastodon statuses
DiscordwebhookUrlSend Discord webhook messages

Creating Credentials

  1. Navigate to Credentials in the dashboard sidebar
  2. Click New Credential
  3. Select the credential type
  4. Enter a unique name and the required fields
  5. Click Create

Using Credentials in Nodes

AI Agent Node

Select a stored credential instead of relying on environment variables:

  1. Open the AI Agent node settings
  2. In the Credential dropdown, select your saved credential
  3. The credential type must match the selected model provider
Model: gpt-4o
Credential: My OpenAI Key (OpenAI type)

HTTP Request Node

Use credentials for API authentication:

  1. Open the HTTP Request node settings
  2. Set Auth Type to "Credential"
  3. Select the appropriate credential

Supported credential types for HTTP:

  • Bearer TokenAuthorization: Bearer <token>
  • Basic AuthAuthorization: Basic <base64>
  • API KeyX-API-Key: <key>

Social Media Nodes

Social nodes use dedicated credential types so each platform can validate the fields it needs:

NodeCredential TypeNotes
X PostXRequires an OAuth user token with post write access
LinkedIn PostLinkedInRequires permission to publish as the selected member or organization
Facebook Page PostFacebook PageRequires a Page access token
Instagram PostInstagramRequires Graph API publishing access and an image URL
Threads PostThreadsRequires Threads API publishing access
Discord MessageDiscordUses an incoming webhook URL
Reddit PostRedditRequires OAuth submit permission
Bluesky PostBlueskyUses handle/DID plus an app password
Mastodon PostMastodonRequires instance URL and a token with write:statuses
Pinterest PinPinterestRequires pin creation access

Testing Credentials

Before using a credential in production:

  1. Open the credential details
  2. Click Test Credential
  3. For AI provider credentials, this validates the API key with the provider
  4. Generic and social credentials are schema-validated; platform-side permission errors surface when the workflow runs

Security

  • Credentials are encrypted at rest using AES-256-GCM
  • Decryption only occurs during workflow execution
  • Credential data is never exposed in API responses (only metadata)
  • Audit logs track credential access during workflow runs

Environment Setup

Generate an encryption key for your deployment:

# Generate a 32-byte hex key
openssl rand -hex 32

Add to your .env:

CREDENTIAL_ENCRYPTION_KEY=your_64_character_hex_key_here

Best Practices

  1. Use descriptive names - "Production OpenAI" vs "test-key-1"
  2. Rotate credentials regularly - Update credentials without changing workflows
  3. Test before deploying - Use the test feature to validate credentials
  4. One credential per purpose - Easier to track and rotate

AI Agent

Use credentials with AI models.

Node Types

See all available nodes.

Expression Engine

Transform data dynamically using JSONata expressions

Execution Monitoring

Track, debug, and analyze your workflow executions

On this page

CredentialsOverviewCredential TypesCreating CredentialsUsing Credentials in NodesAI Agent NodeHTTP Request NodeSocial Media NodesTesting CredentialsSecurityEnvironment SetupBest Practices