Organizations And Access

Every current public API call is tied to an organizationId.

Resolvers then enforce:

• org membership for user tokens
• org match for API keys
• per-route permission or scope

Required organization id

If a public route requires organizationId and it is absent, the resolver returns 400 bad_request.

Access tokens vs. API keys

• user access tokens work on all released public routes, including access_token_only routes
• API keys work only on public routes that declare api_key_or_access_token and the matching scope
• skill run remains access_token_only
• evaluation run currently supports API keys with evaluations:write

See also

• Organization Scoping
• Which Routes Support Which Auth