Overview

Prompt Orchestra uses one Bearer transport for two token types:

• user access tokens, checked through checkPermission(...)
• API keys, authenticated through authenticateApiKey(...)

Public docs use four status labels consistently:

• stable
• public beta
• non-public
• legacy

Only the allowlisted public routes are documented as public, even if the API implementation is broader.

Public auth rules

• POST /api/agents/:id/run, POST /api/agent-runs/:id/rerun-from-step, and POST /api/skills/:id/run are access_token_only
• public read and setup routes can use api_key_or_access_token
• evaluation run is currently api_key_or_access_token, not user-token-only

See also

• Which Routes Support Which Auth
• Authentication