Skip to main content
New Orka users typically hit three different credential prompts before they can do anything useful, and none of the three are the same thing. Here’s how they fit together.

The three systems

1. MacStadium portal credentials

Your MacStadium account username and password. Use these to log in to portal.macstadium.com to access your IP Plan, manage billing, and request changes to your cluster. These credentials have nothing to do with Orka itself — they don’t let you deploy VMs or run CLI commands.

2. Orka user tokens

Orka’s own authentication layer, separate from the portal. You log in with: 
orka3 login
This mints a short-lived token that expires after 1 hour. The token is scoped to your Orka namespace and lets you run CLI commands, deploy VMs, manage images, and access the web UI.
Do not use orka3 login or orka3 user get-token in CI/CD pipelines. Tokens expire after 1 hour and will break long-running jobs.
For CI/CD, use service accounts instead: 
orka3 sa create <SERVICE_ACCOUNT_NAME>
orka3 sa token <SERVICE_ACCOUNT_NAME> --no-expiration
Service account tokens are long-lived (default: 1 year) or non-expiring, and are designed to be injected as environment variables in your pipeline. See Manage Service Accounts for the full workflow.

3. VM credentials

The macOS username and password inside each VM. These are what you use to SSH in or connect via Screen Sharing. MacStadium base images ship with default credentials:
  • Username: admin
  • Password: admin
Change the default VM password after your first login. The default admin/admin credentials are well known and your VMs are accessible to anyone with VPN access to your cluster.

Quick reference

CredentialUsed forExpires
MacStadium portal loginportal.macstadium.com — billing, IP Plan, accountNo
orka3 login tokenCLI and web UI (human use)1 hour
Service account tokenCI/CD pipelines and automation1 year (or never)
VM credentialsSSH, VNC into VMsNever (until you change them)

Common mistakes

Using orka3 login in a pipeline. The token will expire mid-job and cause confusing authentication errors. Use a service account. Rotating portal credentials and expecting Orka to break. They’re independent — changing your portal password doesn’t affect your Orka tokens or service accounts. Leaving VM credentials at admin/admin. Every VM on your cluster shares the same default, so a single compromised VM credential means all of them are exposed.