API Keys
Understand the difference between Orchestrator API keys and Skytells API keys, and how to manage each.
Orchestrator uses its own API key system that is completely separate from Skytells platform API keys. Understanding this separation is essential.
Two Key Types
| Orchestrator API Key | Skytells API Key | |
|---|---|---|
| Purpose | Authorize webhook execution in Orchestrator | Authenticate requests to the Skytells platform (predictions, models, inference) |
| Format | wfb_<random> (42 characters) | Skytells-issued key |
| Where used | Authorization: Bearer wfb_... header on webhook endpoint | Stored as an integration credential in Orchestrator; used by Skytells actions during execution |
| Created in | Orchestrator → User Menu → API Keys | Skytells Console |
| Stored as | SHA-256 hash in Orchestrator database | AES-256-GCM encrypted in Orchestrator integrations |
A Skytells API key cannot authorize Orchestrator webhook calls. An Orchestrator key cannot call Skytells APIs. They serve different purposes and are not interchangeable.
Orchestrator API Keys
Creating a Key
Open API Keys
Click your user avatar → API Keys.
Create a new key
Click Create Key and optionally give it a name (e.g., "production", "staging").
Copy the key immediately
The full key (wfb_...) is shown only once. Copy it and store it securely (e.g., in a secrets manager or environment variable).
After you close the dialog, only the key prefix (first 11 characters) is visible.
Key Security
- The full key is never stored — only the SHA-256 hash and the first 11 characters (prefix) are saved.
- When a webhook request arrives, the provided key is hashed and compared against stored hashes.
- The key must belong to the same user who owns the workflow.
lastUsedAtis updated on each successful authentication.
Key Management
From the API Keys panel, you can see:
- Key name and prefix (e.g.,
wfb_abc1234) - Created at timestamp
- Last used at timestamp
To revoke a compromised key, delete it from the panel. Any webhook calls using that key will immediately fail with a 401 error.
Best Practices
- Create separate keys per environment (development, staging, production)
- Name keys descriptively so you can identify their purpose
- Rotate keys periodically
- Monitor
lastUsedAtfor suspicious or stale keys - Store keys in a secrets manager, never in source code
Skytells API Keys in Orchestrator
Your Skytells API key is used by Skytells workflow actions (Create Prediction, Generate Text, Create Image, etc.) to call the Skytells Predictions API and Inference API.
To use Skytells actions in Orchestrator:
- Go to Connections → Add Connection → Skytells
- Enter your Skytells API key
- Save the integration
- Attach the integration to your Skytells action nodes
The key is stored encrypted (AES-256-GCM) and only decrypted at runtime when the step executes.
Summary
Webhook call → Orchestrator API Key (wfb_...) → authorizes execution
↓
Workflow runs → Skytells Action → Skytells API Key (from integration) → calls Skytells APINext Steps
Webhooks
Use your Orchestrator key to trigger workflows via webhook.
Integrations
Store your Skytells API key as an integration credential.
Skytells API Keys
Create and manage Skytells platform API keys.
How is this guide?