External services that integrate with Orbit are given a minimal set of permissions required to perform their function.
External access is validated through the token authentication mentioned in the article - User access to Orbit. Orbit Online keeps an encrypted backup of those tokens. However, their safekeeping on the customer side is undoubtedly the responsibility of the customer.
The tokens are transferred via a two-channel method. Commonly, Orbit Online encrypts the secret strings with a password, sends the ciphertext via email, and transmits the encryption key via either a phone call or text message. Upon transmission, both the ciphertext and the password are deleted from Orbit Online’s records. Reducing the likelihood of an attacker gaining access to Orbit if one, or both, communication channel should suffer a security breach.
Orbit Online recommends that your organisation follows the same procedure.