> ## Documentation Index
> Fetch the complete documentation index at: https://docs.macstadium.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Understanding Orka Credentials

> Learn how Orka's three credential systems work, when to use each, and how to avoid the common mistake of using short-lived tokens in CI/CD pipelines.

New Orka users typically hit three different credential prompts before they can do anything useful, and none of the three are the same thing. Here's how they fit together.

## The three systems

### 1. MacStadium portal credentials

Your MacStadium account username and password. Use these to log in to [portal.macstadium.com](https://portal.macstadium.com) to access your IP Plan, manage billing, and request changes to your cluster.

These credentials have nothing to do with Orka itself — they don't let you deploy VMs or run CLI commands.

### 2. Orka user tokens

Orka's own authentication layer, separate from the portal. You log in with:

```bash theme={null}
orka3 login
```

This mints a **short-lived token that expires after 1 hour.** The token is scoped to your Orka namespace and lets you run CLI commands, deploy VMs, manage images, and access the web UI.

<Warning>
  Do not use `orka3 login` or `orka3 user get-token` in CI/CD pipelines. Tokens expire after 1 hour and will break long-running jobs.
</Warning>

**For CI/CD, use service accounts instead:**

```bash theme={null}
orka3 sa create <SERVICE_ACCOUNT_NAME>
orka3 sa token <SERVICE_ACCOUNT_NAME> --no-expiration
```

Service account tokens are long-lived (default: 1 year) or non-expiring, and are designed to be injected as environment variables in your pipeline. See [Manage Service Accounts](/orka/orka-cluster-access/orka-cluster-manage-service-accounts) for the full workflow.

### 3. VM credentials

The macOS username and password inside each VM. These are what you use to SSH in or connect via Screen Sharing.

MacStadium base images ship with default credentials:

* **Username:** `admin`
* **Password:** `admin`

<Warning>
  Change the default VM password after your first login. The default `admin/admin` credentials are well known and your VMs are accessible to anyone with VPN access to your cluster.
</Warning>

## Quick reference

| Credential              | Used for                                          | Expires                       |
| ----------------------- | ------------------------------------------------- | ----------------------------- |
| MacStadium portal login | portal.macstadium.com — billing, IP Plan, account | No                            |
| `orka3 login` token     | CLI and web UI (human use)                        | 1 hour                        |
| Service account token   | CI/CD pipelines and automation                    | 1 year (or never)             |
| VM credentials          | SSH, VNC into VMs                                 | Never (until you change them) |

## Common mistakes

**Using `orka3 login` in a pipeline.** The token will expire mid-job and cause confusing authentication errors. Use a service account.

**Rotating portal credentials and expecting Orka to break.** They're independent — changing your portal password doesn't affect your Orka tokens or service accounts.

**Leaving VM credentials at `admin/admin`.** Every VM on your cluster shares the same default, so a single compromised VM credential means all of them are exposed.