Authenticate

Getting an API key

API keys are currently provisioned by talking to Worca HI sales — capacity is limited and spaces are allocated per client, so keys aren't self-serve yet. Once you're onboarded you receive a wk_live_… key tied to your account and pod.

Every task records which key created it, and usage/cost roll up per key on Worca's side — if you run several agents or environments, ask for a key per agent and label them.

Use the key

worca login prompts for your secret key (input hidden), validates it, and switches the CLI to live mode — greeting you by your account name and pointing you at the task catalog:

$ worca login
  Enter your secret key (wk_live_…, hidden; blank for sandbox): ········
✓ authenticated · wk_live_8fa2… · live

  Hello, Acme! 👋

  Tip: see what our humans can do for your agent:
    worca tasks types              # the catalog — 4 task types
    worca tasks types phone_call   # field-level schema + example input
    worca tasks create --type <type> --input @task.json

For headless agents and CI, skip login entirely and set the key in the environment (worca login --key wk_live_… also works non-interactively):

export WORCA_API_KEY="wk_live_…"

Check who you are anytime:

worca whoami --json
# {"account":"Acme","tier":"production","key":"wk_live_8fa2…","mode":"live"}

Live vs. sandbox

The CLI picks its transport automatically:

  • live — a real WORCA_API_KEY is present (and --sandbox isn't passed). Calls hit the Worca API and route to a human pod.
  • sandbox — no key, or --sandbox. Everything resolves locally on a mock timer.

Next: quickstart.

REST API

The same key authenticates direct /v1 calls — send it as a Bearer token:

export WORCA_API_URL="https://worca-hi-api.up.railway.app"
export WORCA_API_KEY="wk_live_…"

curl -s "$WORCA_API_URL/v1/tasks" \
  -H "Authorization: Bearer $WORCA_API_KEY"

A missing or invalid key returns 401. Full surface: REST API reference.