Overview
The three credential types, member roles, and the unauthenticated surfaces.
Authenticated requests send Authorization: Bearer <token>. Three credential
types share the surface, each with a different blast radius.
API keys (tenant)
- Prefix
sk_live_/sk_test_, sent asAuthorization: Bearer sk_…. - Stored only as a hash — the full key is shown once, at creation.
- Tenant-scoped: an API key carries the full authority of its tenant across that tenant's applications, connections, webhooks, and billing.
- Revocable; a revoked key stops authenticating on its next request.
Manage keys under an application:
POST /v1/applications/{id}/keys # create (key returned once)
GET /v1/applications/{id}/keys # list (metadata only, never the secret)
DELETE /v1/applications/{id}/keys/{keyId} # revokeEach application also has a client_secret (returned once at application
creation, or from tenants:provision). The client_secret is not an API
key — its only job is to mint widget JWTs.
Widget JWTs (browser)
Short-lived JWTs minted server-side via POST /v1/tokens. Scoped to one
application and, optionally, one domain. They authorize only the browser-facing
Connect endpoints. This is the only credential that ever reaches the browser —
see Widget tokens.
Management & provision secrets (operator)
- The management key gates operator provisioning (
POST /v1/tenants,GET /v1/tenants/{id}) and cross-tenant reads (e.g. the full audit log). In production the control-plane refuses to start these routes open. - The provision secret gates only
POST /v1/tenants:provision(one-call signup), sent asX-Provision-Secret(or a Bearer token). The customer console's server holds this narrow secret instead of the management key.
Member roles
Human access is governed by tenant membership, not per-key scopes. A member
has a role — owner, admin, member, or viewer — invited and managed via
POST /v1/members, PATCH /v1/members/{id}, and POST /v1/members:accept. The
role/permission matrix is served as static reference at GET /v1/rbac.
Unauthenticated surfaces
GET /healthz— liveness + database readiness. No secrets, no tenant data.POST /internal/ask— the edge host-authorization gate. Not bearer-auth: it uses a shared secret (X-Edge-Auth/EDGE_ASK_SECRET) and must be network-isolated to the edge in production. It answers only{ approved }.GET /v1/connect/oauth/callback— the OAuth redirect target, authenticated by its signed single-usestaterather than a bearer token.
Public catalog reads (GET /v1/providers, /v1/plans, /v1/rbac,
/v1/templates) require no credential.