Required Headers
All API endpoints (except health and token exchange) require these headers.
Most authenticated requests must include tenant context and either a JWT or an API key.
| Header | Required | Description |
|---|---|---|
| Authorization | Yes* | Bearer <jwt> for interactive users, or Bearer <api_key> for opaque service keys (must not look like a JWT) |
| X-Api-Key | Yes* | Alternative to Authorization: the full publicId.secret string |
| X-Tenant-Id | Yes** | Tenant UUID |
| X-Environment | Yes** | development, staging, production, or test |
* Provide one of: Authorization (Bearer) or X-Api-Key. If both are sent, X-Api-Key wins.
** For API key auth, X-Tenant-Id and X-Environment are mandatory and must match the tenant and environment the key was created for. For JWTs, the same headers are still required for routing and isolation (see Authentication overview).
Auth header
- JWT —
Authorization: Bearer <access_token>(typically three dot-separated segments). - API key — Prefer
X-Api-Key: pr_<public>.<secret>, orAuthorization: Bearer pr_<public>.<secret>if you cannot use a separate header.
The server detects JWTs heuristically (three segments). Opaque Bearer values are validated as API keys.
Tenant context
- X-Tenant-Id — UUID of the tenant. Must match the authenticated principal (user or key).
- X-Environment — One of:
development,staging,production,test. Data is isolated per tenant and environment.
Examples
JWT:
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
X-Tenant-Id: 123e4567-e89b-12d3-a456-426614174000
X-Environment: production
API key:
X-Api-Key: pr_a1b2c3d4e5f6g7h8i9j0k1.abcdefghijklmnopqrstuvwxyz012345678901234
X-Tenant-Id: 123e4567-e89b-12d3-a456-426614174000
X-Environment: production
Endpoints that skip auth
These do not require Authorization or X-Api-Key:
GET /api/healthPOST /auth/token
X-Tenant-Id and X-Environment are not required for those endpoints.
Related
- Authentication Overview — Auth modes and flows
- Token Exchange — Get a JWT
- API Keys — Create, list, revoke, and use API keys