> ## Documentation Index
> Fetch the complete documentation index at: https://docs.macstadium.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Understanding Orka Credentials

> Learn how Orka's three credential systems work, when to use each, and how to avoid the common mistake of using short-lived tokens in CI/CD pipelines.

New Orka users typically hit three different credential prompts before they can do anything useful, and none of the three are the same thing. Here's how they fit together.

## The three systems

### 1. MacStadium portal credentials

Your MacStadium account username and password. Use these to log in to [portal.macstadium.com](https://portal.macstadium.com) to access your IP Plan, manage billing, and request changes to your cluster.

These credentials have nothing to do with Orka itself. They don't let you deploy VMs or run CLI commands.

### 2. Orka user tokens

Orka's own authentication layer, separate from the portal. You log in with:

```bash theme={null}
orka3 login
```

This mints a **short-lived token that expires after 1 hour.** The token is scoped to your Orka namespace and lets you run CLI commands, deploy VMs, manage images, and access the web UI.

<Warning>
  Do not use `orka3 login` or `orka3 user get-token` in CI/CD pipelines. Tokens expire after 1 hour and will break long-running jobs.
</Warning>

**For CI/CD, use service accounts instead:**

```bash theme={null}
orka3 sa create <SERVICE_ACCOUNT_NAME>
orka3 sa token <SERVICE_ACCOUNT_NAME> --no-expiration
```

Service account tokens are long-lived (default: 1 year) or non-expiring, and are designed to be injected as environment variables in your pipeline. See [Manage Service Accounts](/orka/orka-cluster-access/orka-cluster-manage-service-accounts) for the full workflow.

### 3. VM credentials

The macOS username and password inside each VM. These are what you use to SSH in or connect via Screen Sharing.

MacStadium base images ship with default credentials:

* **Username:** `admin`
* **Password:** `admin`

<Warning>
  Change the default VM password after your first login. The default `admin/admin` credentials are well known and your VMs are accessible to anyone with VPN access to your cluster.
</Warning>

## Quick reference

| Credential              | Used for                                          | Expires                       |
| ----------------------- | ------------------------------------------------- | ----------------------------- |
| MacStadium portal login | portal.macstadium.com (billing, IP Plan, account) | No                            |
| `orka3 login` token     | CLI and web UI (human use)                        | 1 hour                        |
| Service account token   | CI/CD pipelines and automation                    | 1 year (or never)             |
| VM credentials          | SSH, VNC into VMs                                 | Never (until you change them) |

## Common mistakes

**Using `orka3 login` in a pipeline.** The token will expire mid-job and cause confusing authentication errors. Use a service account.

**Rotating portal credentials and expecting Orka to break.** They're independent: changing your portal password doesn't affect your Orka tokens or service accounts.

**Leaving VM credentials at `admin/admin`.** Every VM on your cluster shares the same default, so a single compromised VM credential means all of them are exposed.
