Platform Overview

Orquesta is a collaborative prompt orchestration platform that turns natural language prompts into production code. Your team writes what they want built, AI agents handle the code, PRs, and deployment.

The platform supports multiple execution paths: a local agent connected via WebSocket for full Claude CLI capabilities, cloud VMs with direct SSH execution, Batuta AI for autonomous task routing, and an External Agents API for third-party AI integration.

Quick Start

Get running in under 5 minutes:

npm install -g orquesta-agent\norquesta-agent --token YOUR_PROJECT_TOKEN

Onboarding Tour

New users get an interactive guided tour on their first dashboard visit. The tour creates a demo project with sample data and walks through 9 key areas of the platform.

Core Concepts

Local Agent

The orquesta-agent package connects your local machine to the Orquesta dashboard via WebSocket. It receives prompts, executes them using Claude CLI, and streams logs back in real-time.

# Install globally\nnpm install -g orquesta-agent\n\n# Or use npx (not recommended for VMs — can timeout)\nnpx orquesta-agent --token YOUR_TOKEN

Connecting to a Project

Generate a token from the dashboard (Project → Agent → Setup), then:

orquesta-agent --token oat_abc123...

The agent will:

• Validate the token with the Orquesta API
• Establish a WebSocket connection via Supabase Realtime
• Send heartbeats every 30 seconds
• Listen for EXECUTE commands on the project channel
• Report its version and capabilities to the dashboard

Prompt Execution Flow

When a prompt is submitted:

1. Dashboard broadcasts an EXECUTE command via Realtime channel
2. Agent receives it, queues it (sequential execution only)
3. Agent spawns claude CLI process with the prompt
4. Output streams as log entries back to Supabase
5. On completion, agent reports status, git commits, and token usage

Troubleshooting

Dashboard

The dashboard is the central hub for managing projects, submitting prompts, monitoring execution, and collaborating with your team.

Prompts & Execution

The Prompts tab is where you submit work for the AI agent. Each prompt can include:

• Content — Natural language description of what to build
• Tags — Categorize as bug, feature, refactor, urgent, docs
• Assignment — Assign to a specific team member
• Priority — Star important prompts
• Structured Specs — Use bug report, feature spec, or improvement templates with acceptance criteria

Prompts can come from multiple sources:

Management

The Management section includes:

• Tickets — Track work items from Linear integration or manual creation
• Requirements — Define and track project requirements with AI-assisted analysis
• QA — Quality assurance instructions and test tracking
• Planning — Create plans with items, milestones, and AI-generated breakdowns

Logs & History

Real-time log streaming shows every step of agent execution — commands run, files modified, git operations, and more. Logs are categorized by level (info, warning, error) and type (command, output, status, git). The History page shows a chronological timeline of all project activity.

Memory & Context

The Memory panel stores persistent project context that gets included in every prompt execution. This includes architectural decisions, coding conventions, known issues, and project-specific knowledge. Memory is automatically summarized and injected into the Claude CLI context.

Team Collaboration

Orquesta supports four roles with granular permissions:

Project Chat

Each project has a built-in real-time chat powered by Supabase Realtime. Features include threaded conversations, file attachments, read receipts, and typing indicators. Chat is ideal for discussing prompts, reviewing outputs, and coordinating work.

Prompt Comments

Every prompt has a comment thread for code review discussion. You can mention team members with @mentions, add feedback on AI-generated code, and discuss changes before merging.

Planning & Specs

The Planning system lets you create structured plans with items that can be converted into prompts or tickets. AI can generate plan breakdowns from high-level descriptions. Structured Specs (bug reports, feature requests, improvements) include acceptance criteria that guide the AI during execution.

Batuta AI Orchestrator

Batuta is the AI brain of Orquesta — an intelligent orchestrator that analyzes tasks and routes them to the best execution method. Available on the Max tier ($12/user/mo).

Execution Modes

Routines

Routines are saved prompt templates that can be re-executed with one click. Create routines for common tasks like deploying, running tests, checking logs, or performing security scans. Routines can be triggered manually or scheduled.

Scheduled Prompts (Loop)

Schedule prompts to run automatically on a recurring basis via your local agent. Inspired by Claude's /loop command — set a cron schedule and Orquesta dispatches prompts to your agent when they're due.

How it works:

1. Go to your project → Configuration → Scheduled (Loop tab)
2. Create a scheduled prompt with a name, prompt content, and cron schedule
3. The platform checks for due prompts every 2 minutes via a cron endpoint
4. When a prompt is due, it dispatches to your local agent via Supabase Realtime broadcast
5. The agent executes the prompt using Claude CLI and reports results back

Cron presets:

Requirements:

• Your local agent must be running when the schedule triggers
• Maximum 20 scheduled prompts per project
• Max 10 iterations per execution, timeout capped at 1 hour
• Custom cron expressions supported alongside presets

Cloud VMs

Orquesta can provision and manage DigitalOcean droplets for your projects. VMs come pre-configured with security hardening, Docker support, and SSH access.

SSH Access

SSH keys are encrypted with AES-256 and stored in Supabase. The platform handles key management, connection setup, and command execution transparently.

# VM access is managed through the dashboard
# SSH keys are auto-generated and encrypted
# Direct SSH (for debugging):
ssh -i /tmp/orquesta-vm-key -o StrictHostKeyChecking=no user@vm-ip

Security Hardening

Every provisioned VM includes:

• UFW firewall (ports 22, 80, 443 only)
• Docker-aware iptables rules (DOCKER-USER chain) — Docker bypasses UFW by default
• Outbound DDoS rate limiting (SYN 50/s, UDP 100/s, ICMP 10/s)
• Malware detection cron (every 5 minutes)
• Restricted sudo for the orquesta user (whitelisted commands only)
• Automatic security patching

Integrations

Connect your existing tools to Orquesta for a unified workflow.

Vercel

Linear

Telegram Bot

/auth ott_xxxxx    # Authenticate with one-time token\n/prompt Add dark mode  # Submit a prompt\n/status            # Check current execution\n/deploy            # Trigger deployment

Orquesta CLI

AI-powered coding assistant that runs locally with configurable LLM endpoints. Available on the Max tier.

npm install -g orquesta-cli

# Interactive mode
orquesta

# Connect to dashboard
orquesta --token oclt_xxx

# Execute a prompt directly
orquesta -p "Add user authentication"

LLM Configuration

Configure multiple LLM endpoints from the dashboard or locally. Supports:

• OpenAI (GPT-4, GPT-4o, etc.)
• Anthropic (Claude Opus, Sonnet, Haiku)
• Ollama (local models)
• vLLM (self-hosted)
• OpenRouter (model marketplace)
• Any OpenAI-compatible endpoint

Dashboard Sync

LLM configurations sync bidirectionally between the CLI and dashboard. Configure endpoints centrally and distribute to your team. Prompt history is tracked in the dashboard regardless of whether the prompt was submitted via CLI or web UI.

IDE Extension

Connect Cursor, VS Code, or Windsurf directly to Orquesta. Receive prompts from your team's dashboard and execute them inside your IDE — the extension lives in your editor, uses Claude CLI to run prompts in your local workspace, and streams results back to the dashboard in real time.

Installation

Download the .vsix file, then install it in your editor:

# Option 1 — Command palette
# Cursor / VS Code / Windsurf:
# Press Cmd+Shift+P → "Extensions: Install from VSIX..."
# Select the downloaded orquesta-vscode-0.2.9.vsix

# Option 2 — CLI
code --install-extension orquesta-vscode-0.2.9.vsix
cursor --install-extension orquesta-vscode-0.2.9.vsix

Setup & Token

After installation, connect the extension to your project using an agent token:

1. Open your project in Orquesta → Project → Agents
2. Click Create Agent Token → copy the oat_xxx token
3. In your IDE, press Cmd+Shift+P → Orquesta: Set Agent Token
4. Paste the token — the extension connects and opens the sidebar automatically

The token is stored in VS Code's global settings. The extension auto-connects on every startup once a token is saved. To disable auto-connect, set orquesta.autoConnect: false in settings.

Execution Modes

Control how prompts are executed via the orquesta.executionMode setting:

Commands

{
  "orquesta.agentToken": "oat_xxx",       // Your agent token
  "orquesta.autoConnect": true,           // Connect on startup
  "orquesta.workingDirectory": "",        // Defaults to workspace folder
  "orquesta.executionMode": "auto"        // "auto" | "cli" | "ide-ai"
}

Embed SDK

Embed the Orquesta feedback widget in your production applications. Users can report bugs with element inspection, screenshots, and console logs — all flowing back to your Orquesta project.

Vanilla JavaScript

<link rel="stylesheet" href="https://orquesta.live/embed/v1/orquesta.css" />
<script src="https://orquesta.live/embed/v1/orquesta.min.js"></script>
<script>
  Orquesta.init({
    token: 'YOUR_EMBED_TOKEN',
    position: 'bottom-right'
  });
</script>

React Component

import { OrquestaEmbed } from 'orquesta-embed'

function App() {
  return (
    <OrquestaEmbed
      token="YOUR_EMBED_TOKEN"
      position="bottom-right"
    />
  )
}

Builder Mode

Builder mode renders a full-screen IDE-style interface (similar to Bolt or Lovable) with three panes: chat on the left, live preview on the right, and a collapsible terminal at the bottom.

<!-- Vanilla JS -->
<div id="builder-root"></div>
<script src="https://orquesta.live/embed/v1/orquesta.min.js"></script>
<script>
  Orquesta.init({
    token: 'YOUR_EMBED_TOKEN',
    mode: 'builder',
    container: '#builder-root',
    previewUrl: 'https://your-app.com'
  });
</script>

// React
import { OrquestaEmbed } from 'orquesta-embed'

function Builder() {
  return (
    <OrquestaEmbed
      token="YOUR_EMBED_TOKEN"
      mode="builder"
      container="#builder-root"
      previewUrl="https://your-app.com"
    />
  )
}

Builder panes:

• Chat — Send prompts, see AI responses and status updates
• Preview — Live iframe with URL bar and refresh button, auto-reloads on prompt completion
• Terminal — Real-time execution logs, collapsible, color-coded output

Panes are resizable via drag handles. The terminal can be collapsed/expanded. Fully responsive with a stacked layout on mobile.

Features

• Element Inspector — Click any element to mark it in a bug report
• Console Capture — Automatically captures browser console output
• Network Capture — Records failed API requests
• Comment System — Inline feedback on specific elements
• Timeline — User action timeline for reproduction

External Agents API

REST API that lets third-party AI agents (GPT, LangChain, CrewAI, custom agents) connect to your Orquesta project. The external agent brings the brain, Orquesta provides execution + coordination.

How it works:

1. Generate an oxa_ token from the dashboard (Project → Team → External Agents)
2. Register your agent via the API
3. Read project context to understand the codebase
4. Submit prompts — the local orquesta-agent executes them
5. Poll for results and iterate

Authentication

All API requests require a Bearer token with appropriate scopes:

Authorization: Bearer oxa_abc123...

Rate limits: 30 requests/minute, 300 requests/hour (configurable per token).

API Reference

Base URL: https://orquesta.live/api/external-agent

Examples

import requests

API = "https://orquesta.live/api/external-agent"
TOKEN = "oxa_your_token_here"
HEADERS = {"Authorization": f"Bearer {TOKEN}"}

# 1. Register your agent
requests.post(f"{API}/register", headers=HEADERS, json={
    "name": "my-gpt-agent",
    "model": "gpt-4o",
    "provider": "openai",
    "version": "1.0.0",
    "capabilities": ["code-review", "testing"]
})

# 2. Read project context
ctx = requests.get(f"{API}/context", headers=HEADERS).json()
print(ctx["memory"])  # Project knowledge

# 3. Submit a prompt
resp = requests.post(f"{API}/prompts", headers=HEADERS, json={
    "content": "Add input validation to the signup form",
    "tags": ["feature"]
})
prompt_id = resp.json()["promptId"]

# 4. Poll for completion
import time
while True:
    status = requests.get(
        f"{API}/prompts/{prompt_id}", headers=HEADERS
    ).json()
    if status["status"] in ("completed", "failed"):
        print(f"Result: {status['result']}")
        break
    time.sleep(5)

curl -X POST https://orquesta.live/api/external-agent/prompts \
  -H "Authorization: Bearer oxa_xxx" \
  -H "Content-Type: application/json" \
  -d '{"content": "Fix the login bug", "tags": ["bug"]}'

Autonomous Agent Bot

Orquesta ships with a built-in autonomous bot that uses Claude CLI as its brain to strategically plan and submit tasks via the External Agents API. The local agent executes each task.

No API key needed — the bot uses your Claude web subscription via claude login.

How it works:

1. Registers as an autonomous agent via the API
2. Gathers project context, recent prompts, and queue status
3. Spawns claude -p with full context to decide the next task
4. Submits the prompt, polls until completion, records the result
5. Repeats — each iteration builds on the previous results

# Run with token (default 5 iterations)
npx tsx scripts/autonomous-agent/run.ts oxa_your_token

# Or use env var with custom iterations
MAX_ITERATIONS=10 ORQUESTA_AGENT_TOKEN=oxa_xxx npx tsx scripts/autonomous-agent/run.ts

Configurable: MAX_ITERATIONS (default 5), ITERATION_DELAY (default 30s between iterations).

Security

Security is foundational to Orquesta. Your code runs on your machine, credentials are encrypted, and all data access is controlled by row-level security policies.

Row-Level Security

Every Supabase table has RLS policies enforcing organization-level isolation. Users can only access data within their organization. Admin operations use a service role key with elevated permissions, never exposed to the client.

Token Management

All tokens are SHA-256 hashed before storage. Only the hash is stored — the plain token is shown once at creation and cannot be retrieved. Tokens can be revoked instantly from the dashboard.

Security Scanning

Built-in security scanning analyzes prompts and generated code for vulnerabilities. Scans detect common issues like SQL injection, XSS, command injection, and exposed credentials. Results appear in the Security panel with severity ratings and remediation guidance.

GuardRails

GuardRails is a per-project prompt protection layer that intercepts every prompt before it reaches the agent. It scans for prompt injection, jailbreaks, role overrides, and data exfiltration attempts using 30+ built-in regex rules plus an optional GPT-4o-mini AI review pass.

How it works:

1. Every prompt is scored against 6 rule categories before execution
2. Score ≥ 70 → blocked, 30–69 → warned, < 30 → passed
3. Result is stored on the prompt (guardrail_status, guardrail_flags)
4. In block mode the prompt is cancelled and a 403 is returned; in warn mode it runs but is flagged

Action Modes:

• Block — prompt is cancelled; the sender receives an error with the matched rule
• Warn — prompt executes normally but is flagged in the violations log
• Log Only — prompt executes, violations recorded silently for auditing

Configuration: Go to Agent → GuardRails in the project dashboard to enable, set the mode, toggle AI review, and add custom regex patterns. Project admins can also toggle GuardRails on/off directly from the Send Prompt toolbar using the GuardRails button — no need to navigate away.

GuardRail API endpoints:

Quality Gates

Quality Gates let admins require a Simulate before Submit step for specific team members. When enabled, the member's Execute button changes to Simulate — clicking it calls an AI that previews what the agent would do (files touched, commands run, risks). The member then chooses Sign & Submit to proceed or Cancel.

How to enable:

1. Go to Team in the project dashboard
2. Click the Sign-off badge next to a member's name (admins only)
3. The badge turns amber when active — that member will see "Simulate" instead of "Execute"
4. The simulation is tracked via quality_gate_signed on the prompt record

CLAUDE.md Sync

Edit your project's CLAUDE.md directly from the dashboard and keep it in sync with the agent's working directory. Claude Code reads CLAUDE.md from the project root on every session — no more manual SSH to update it.

Dashboard Editor

Open Configuration → Settings → CLAUDE.md tab. Edit the content and save. It is stored in projects.settings.claude_md. On the next agent connect, the file is written to <workingDirectory>/CLAUDE.md.

Agent Sync

On first connect the agent uploads the local CLAUDE.md to the dashboard (only if no user content is saved):

1. Agent reads CLAUDE.md from its working directory
2. POSTs content to /api/agent/claude-md
3. Server stores it only if settings.claude_md is not yet set (user edits are never overwritten)
4. On subsequent connects, if settings.claude_md is set, it is written back to disk

Performance Dashboard

The Performance tab (Configuration → Performance) shows aggregated token usage and cost data for the project, broken down by model and day. Data comes from the tokens_used and cost_cents fields populated by the Claude CLI executor.

What you see:

• Stat cards: Total cost ($), Total tokens, Prompt count
• Daily bar chart: cost per day over the selected period
• Model breakdown table: model, provider, prompts, tokens, cost — sorted by cost
• Period selector: 7 days / 30 days / All time

Performance API

Quick Prompts

Quick Prompts let you save frequently used prompts as reusable templates. Instead of retyping the same instructions, save them once and execute with a single click.

Create & Use Quick Prompts

Creating:

• Open the prompt input in any project
• Type your prompt, then click the Save as Quick Prompt button
• Give it a name and optional description
• Quick prompts are saved per-project in the quick_prompts table

Using:

• Click the Quick Prompts dropdown in the prompt input area
• Select a saved prompt to auto-fill the input
• Edit if needed, then submit as normal

Use cases:

• Standard code review prompts
• Deployment checklists
• Bug report templates
• Recurring maintenance tasks

Building in Public

Make your project's AI activity publicly visible — no login required. Enable the "Build in Public" toggle and your project appears on the Live Feed at orquesta.live/feed, letting anyone follow along as your AI agent ships code in real time. A great way to generate FOMO and showcase what AI-powered development looks like.

Enable & Configure

Go to Project → Settings → Permissions tab. Under "Build in Public", flip the toggle on.

• Custom slug — Set a short URL like my-project so your feed page lives at orquesta.live/feed/my-project instead of a UUID. Must be lowercase letters, numbers, and hyphens (3–50 chars). Must be unique.
• Live site URL — Enter your deployed app URL (e.g. https://myapp.com). Visitors on your feed page will see an embedded iframe preview of the actual running product beneath the prompt timeline.

Live Feed

The global feed at /feed lists all public projects, sorted by community vote score. Each card shows:

• Agent online/offline status (green dot = seen in the last 3 minutes)
• Amber "Running now" pulse when a prompt is actively executing
• Last 3 prompt snippets with status icons and source badges (Web / Telegram / Auto / etc.)
• Up/down vote buttons — score is upvotes minus downvotes, stored per anonymous browser UUID
• Link to the full project timeline at /feed/[slug]

The project detail page (/feed/[slug]) shows:

• Iframe preview of the live site (if a site URL is configured)
• Full prompt timeline (last 50 prompts, read-only)
• Expandable prompt content, tags, source, duration
• Share on X button and copy-link button
• Live logs terminal for any currently running prompt

Real-time Logs

When a prompt is running, a terminal panel appears below it on the public project page and streams agent logs every 2 seconds. Logs are filtered — internal thinking entries are hidden, and only actionable output is shown:

Logs are capped at the last 80 entries per poll and truncated to 500 chars per line. Auto-scrolls to the latest entry.

Public API

These endpoints require no authentication — they are fully public:

OSS Community

Orquesta OSS is a self-hosted, open-source version of the platform. OSS instances can optionally publish themselves to the orquesta.live/feed community feed, making your instance discoverable by other developers.

Self-Hosting

Get started with the OSS version:

# Clone the repository
git clone https://github.com/Orquesta-live/orquesta-oss.git
cd orquesta-oss

# Install dependencies
npm install

# Set up the database
npx prisma db push

# Start the development server
npm run dev

OSS Stack:

• Next.js 15 + Prisma + SQLite (no external DB needed)
• Better Auth for authentication
• Socket.io for real-time agent communication
• Full Agent Grid, agent tokens, and interactive sessions

Publish to Community Feed

OSS instance owners can publish their instance to the community feed at orquesta.live/feed. This makes your instance visible to the community.

How to publish:

• Open your OSS instance dashboard
• Click the Publish to Community button in the project header (owner only)
• Your instance details are sent to POST /api/oss/publish
• Your instance appears in the Community section of /feed

API:

Billing & Plans

Feature Matrix

Enterprise

Orquesta Enterprise is designed for organizations that need advanced security, compliance, and control over AI-powered development workflows. From SSO and fine-grained permissions to on-premise deployment and SOC 2 compliance, Enterprise gives your security and procurement teams everything they need to approve Orquesta for production use.

SSO & Identity Management

Orquesta integrates with your existing identity provider so your team can log in with their corporate credentials. No separate passwords, no manual user provisioning.

SCIM Provisioning

Automate user lifecycle management with SCIM 2.0. When employees join or leave your organization, their Orquesta access is automatically provisioned or revoked through your identity provider.

• Automatic user creation when added to IdP group
• Automatic deactivation when removed from IdP
• Group-to-role mapping (IdP groups map to Orquesta roles)
• Just-in-time (JIT) provisioning for first-time logins

Multi-Factor Authentication (MFA)

Enforce MFA at the organization level. Orquesta supports TOTP (authenticator apps), WebAuthn (hardware keys like YubiKey), and SMS as a fallback. Admins can require MFA for all members or specific roles.

Domain Verification

Claim your email domain (e.g., @yourcompany.com) so that any employee who signs up with that domain is automatically added to your organization. Prevents shadow accounts and ensures centralized management.

Advanced Roles & Permissions

Enterprise RBAC goes beyond the standard Admin / Developer / Viewer roles. Create custom roles with granular permissions scoped to specific projects, environments, and actions.

Built-in Enterprise Roles

Custom Roles

Create custom roles with fine-grained permission sets. Each permission is a combination of resource + action:

{
  "name": "Senior Developer",
  "permissions": [
    "prompts:submit",
    "prompts:execute",
    "prompts:approve",
    "logs:read",
    "git:commit",
    "git:push",
    "agents:connect",
    "agents:interactive_session",
    "vm:ssh",
    "settings:claude_md:edit"
  ],
  "restrictions": {
    "environments": ["development", "staging"],
    "max_tokens_per_prompt": 50000,
    "blocked_commands": ["rm -rf /", "DROP DATABASE", "format"]
  }
}

Environment-Scoped Access

Restrict what environments each role can target. A developer might have full access to development and staging but require approval for production. Environments are defined per project and enforced at the agent level.

• Development — open access, no approvals required
• Staging — developer access, optional review
• Production — requires quality gate approval from Reviewer or Project Admin
• Restricted — only Org Admins and Security Officers, full audit on every action

Command Allowlists & Blocklists

Define which shell commands and patterns are allowed or blocked per role and environment. The agent enforces these rules before execution, preventing destructive or unauthorized operations.

{
  "production": {
    "blocked_patterns": [
      "rm -rf",
      "DROP TABLE",
      "DROP DATABASE",
      "truncate",
      "format",
      "mkfs",
      "dd if=",
      "> /dev/sd"
    ],
    "require_approval": [
      "git push",
      "npm publish",
      "docker build",
      "kubectl apply",
      "terraform apply"
    ]
  }
}

IP Allowlisting

Restrict dashboard and API access to specific IP ranges. Only requests from your corporate network, VPN, or approved CIDR blocks can access Orquesta. Configured at the organization level.

{
  "ip_allowlist": {
    "enabled": true,
    "ranges": [
      "203.0.113.0/24",
      "198.51.100.0/24",
      "10.0.0.0/8"
    ],
    "bypass_for_sso": false,
    "enforce_on_api": true,
    "enforce_on_agents": true
  }
}

Deployment Options

Choose the deployment model that matches your security and compliance requirements. Orquesta supports everything from fully-managed cloud to air-gapped on-premise installations.

Data Residency

Choose where your data is stored to comply with regional regulations. Available regions for managed cloud and VPC deployments:

• US East (Virginia) — default
• US West (Oregon)
• EU West (Frankfurt) — GDPR-compliant
• EU North (Stockholm)
• LATAM (Sao Paulo)
• APAC (Sydney, Tokyo)

High Availability Architecture

Enterprise deployments run in a high-availability configuration with automatic failover:

• Multi-AZ database replication with automatic failover
• Load-balanced API servers across availability zones
• WebSocket relay with sticky sessions and reconnection handling
• Redis cluster for real-time state and caching
• Automated daily backups with 30-day retention (configurable)
• Disaster recovery with RPO < 1 hour, RTO < 4 hours

Audit & Governance

Every action in Orquesta is logged with full context. Enterprise audit goes beyond standard logging with immutable audit trails, SIEM integration, and configurable retention policies.

Immutable Audit Log

Every event is written to an append-only audit log that cannot be modified or deleted, even by Org Owners. Events are cryptographically chained to detect tampering.

SIEM Integration

Stream audit events in real-time to your SIEM or log management platform. Supported targets:

• Splunk — via HEC (HTTP Event Collector)
• Datadog — via Log Forwarding API
• Elastic / ELK — via Elasticsearch bulk API
• AWS CloudWatch — for VPC deployments
• Azure Monitor — via Log Analytics workspace
• Custom Webhook — any HTTPS endpoint, JSON payload, HMAC-signed

Approval Workflows

Enterprise quality gates support multi-level approval chains. Configure approval requirements per environment and action type:

{
  "approval_policy": {
    "production": {
      "prompt_execution": {
        "required_approvals": 2,
        "approver_roles": ["Reviewer", "Project Admin"],
        "auto_reject_after_hours": 48,
        "require_diff_review": true
      },
      "git_push": {
        "required_approvals": 1,
        "approver_roles": ["Project Admin", "Org Admin"]
      },
      "destructive_commands": {
        "required_approvals": 2,
        "approver_roles": ["Org Admin", "Security Officer"],
        "notify": ["#security-alerts"]
      }
    },
    "staging": {
      "prompt_execution": {
        "required_approvals": 1,
        "approver_roles": ["Reviewer", "Developer"],
        "auto_approve_after_hours": 24
      }
    }
  }
}

Data Retention Policies

Configure how long different types of data are retained. Meet regulatory requirements while managing storage costs:

• Audit logs — 1 year minimum, configurable up to 7 years (required for SOC 2, HIPAA)
• Execution logs — 90 days default, configurable
• Prompt history — 1 year default, configurable
• Git diffs — retained indefinitely (linked to commits)
• Session recordings — 30 days default, configurable
• Automated purge — data is securely deleted after retention period expires

Cost Management & Budgets

Enterprise cost management gives finance and engineering leaders full visibility and control over AI spending across the organization.

Budget Controls

Usage Dashboard

A dedicated enterprise analytics dashboard provides:

• Real-time token usage across all projects and teams
• Cost breakdown by project, user, team, and environment
• Historical trend analysis with monthly/quarterly reports
• Export to CSV/PDF for finance reporting
• API cost attribution (which LLM provider, model, and tier)
• Forecasting based on usage trends

Enterprise Integrations

Connect Orquesta to the tools your team already uses. Enterprise integrations go beyond standard webhooks with deep, bidirectional integrations.

Webhook System

The enterprise webhook system supports any HTTPS endpoint with configurable events, retry policies, and HMAC signature verification:

{
  "url": "https://your-service.com/webhooks/orquesta",
  "secret": "whsec_...",
  "events": [
    "prompt.submitted",
    "prompt.approved",
    "prompt.executed",
    "prompt.failed",
    "agent.connected",
    "agent.disconnected",
    "security.alert",
    "budget.threshold"
  ],
  "retry_policy": {
    "max_retries": 5,
    "backoff": "exponential",
    "timeout_ms": 30000
  },
  "headers": {
    "X-Custom-Header": "value"
  }
}

SLA & Support Tiers

Enterprise customers receive premium support with guaranteed response times and a dedicated customer success team.

Slack Connect

Enterprise customers get a shared Slack Connect channel with Orquesta engineering. Get direct access to the team that builds the product for fast issue resolution, feature requests, and architectural guidance.

Compliance & Certifications

Orquesta is committed to meeting the highest security and compliance standards. Below is our current compliance posture and certification roadmap.

Current Compliance

Certification Roadmap

The following certifications are planned or in progress as part of our enterprise compliance roadmap:

Security Practices

• Penetration Testing — Annual third-party pentest. Results available under NDA.
• Bug Bounty Program — Responsible disclosure program for security researchers.
• Dependency Scanning — Automated CVE scanning on every build via Snyk/Dependabot.
• Static Analysis — SAST tooling integrated into CI/CD pipeline.
• Secret Detection — Pre-commit hooks and CI checks prevent secret leakage.
• Employee Security — Background checks, security training, least-privilege access, hardware keys for infrastructure.
• Incident Response — Documented IR plan with 1-hour acknowledgment for P1 incidents. Postmortem within 72 hours.
• Vendor Management — All sub-processors evaluated for security posture. DPAs in place with all vendors.

Trust Center

Visit orquesta.live/trust for our public Trust Center, which includes:

• Real-time system status and uptime history
• Security whitepaper (downloadable PDF)
• SOC 2 report request form
• DPA (Data Processing Agreement) template
• Sub-processor list
• Penetration test summary
• Responsible disclosure / bug bounty policy

Enterprise Onboarding

Every enterprise customer receives a structured onboarding experience to ensure fast time-to-value and successful adoption across teams.

Onboarding Timeline

Enterprise Evaluation

We offer a 30-day enterprise trial with full feature access. No credit card required. The trial includes:

• Full Enterprise feature set (SSO, RBAC, audit, integrations)
• Up to 25 users during trial period
• Dedicated Slack Connect channel with Orquesta team
• Two 1-hour onboarding sessions
• Security questionnaire pre-filled
• Custom proof-of-concept for your specific workflow