Authentication
Partner API requests must include an Orbit-issued token.
Preferred header:
http
Authorization: Bearer orb_ext_your_tokenFallback header:
http
X-Orbit-API-Token: orb_ext_your_tokenToken Handling
Tokens are generated by Orbit, stored hashed, and can be revoked or regenerated by Orbit staff.
For partner systems:
- Store tokens only in backend secrets.
- Do not hard-code tokens into public repositories.
- Rotate a token immediately if it may have been exposed.
- Keep request logs from recording full token values.
Rate Limits
Current limits include:
| Scope | Limit |
|---|---|
| Authenticated token | 30/sec |
| Player status per token and UUID | 10/sec and 300/min |
If you receive 429 Too Many Requests, slow down and retry later.
Errors
| Status | Meaning |
|---|---|
401 | Missing, invalid, or revoked token. |
429 | Rate limit exceeded. |
503 | Presence backend unavailable. |