API Keys

API keys authenticate as Bearer tokens and are scoped to one organization.

Release-day auth concepts are:

• accessToken
• apiKey

Public docs cover how API keys work on public routes. They do not treat key-management routes as part of the public route reference.

Public usage

Common public scopes include:

• agents:read
• runs:read
• skills:read
• skills:write
• tools:read
• tools:write
• evaluations:read
• evaluations:write

resolveAuthorizedPrincipal(...) enforces org binding plus the required API-key scope for each route.

Setup and admin routes

The shipped product uses /api/settings/api-keys* for setup and admin flows. Those routes require org settings permissions and are outside the public route reference.

Treat them as setup/admin surfaces, not as part of the supported public route catalog.

See also

• Which Routes Support Which Auth
• Public Boundary