Bearer Tokens
All documented routes use:
Authorization: Bearer <token>
Token kind is deterministic:
sk_...=> API key- JWT-structured token => access token (classification only; token trust requires verification)
No alternate auth header is required for API keys.
The official SDK also sends:
X-Prompt-Orchestra-Auth-Source: access_token | api_key
This header is telemetry-only and never affects authorization decisions.