QFind anything/
API Reference

Required Headers

All API endpoints (except health and token exchange) require these headers.

Most authenticated requests must include tenant context and either a JWT or an API key.

HeaderRequiredDescription
AuthorizationYes*Bearer <jwt> for interactive users, or Bearer <api_key> for opaque service keys (must not look like a JWT)
X-Api-KeyYes*Alternative to Authorization: the full publicId.secret string
X-Tenant-IdYes**Tenant UUID
X-EnvironmentYes**development, staging, production, or test

* Provide one of: Authorization (Bearer) or X-Api-Key. If both are sent, X-Api-Key wins.

** For API key auth, X-Tenant-Id and X-Environment are mandatory and must match the tenant and environment the key was created for. For JWTs, the same headers are still required for routing and isolation (see Authentication overview).

Auth header

  • JWTAuthorization: Bearer <access_token> (typically three dot-separated segments).
  • API key — Prefer X-Api-Key: pr_<public>.<secret>, or Authorization: Bearer pr_<public>.<secret> if you cannot use a separate header.

The server detects JWTs heuristically (three segments). Opaque Bearer values are validated as API keys.

Tenant context

  • X-Tenant-Id — UUID of the tenant. Must match the authenticated principal (user or key).
  • X-Environment — One of: development, staging, production, test. Data is isolated per tenant and environment.

Examples

JWT:

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
X-Tenant-Id: 123e4567-e89b-12d3-a456-426614174000
X-Environment: production

API key:

X-Api-Key: pr_a1b2c3d4e5f6g7h8i9j0k1.abcdefghijklmnopqrstuvwxyz012345678901234
X-Tenant-Id: 123e4567-e89b-12d3-a456-426614174000
X-Environment: production

Endpoints that skip auth

These do not require Authorization or X-Api-Key:

  • GET /api/health
  • POST /auth/token

X-Tenant-Id and X-Environment are not required for those endpoints.