API Authentication

All API calls require a bearer token generated from an access key or service account. Tokens include scopes that limit which projects and vaults a client can touch.

Token Types

• Service tokens – long-lived credentials for trusted backend jobs.
• Ephemeral tokens – short-lived credentials minted via the Setup Wizard or MCP flows.
• User tokens – issued through OAuth/OIDC for human operators.

Send tokens in the Authorization: Bearer <token> header and rotate them regularly.