Skip to main content

Authentication and access isolation

Authentication model

All documented API operations require Authorization: Bearer <jwt>.
Missing or invalid credentials return 401 Unauthorized.
Authenticated requests without access to the requested tenant, workspace, or project return 403 Forbidden.

Minimum headers

Authorization: Bearer <jwt>
Accept: application/json
Content-Type: application/json

Access isolation rules

The projectUUID used in a request must belong to the tenant associated with the token.
Workspace, library, and structure data are isolated by tenant.
Clients should not assume that identifiers from one tenant can be reused in another tenant context.

Integration guidance

Store access tokens securely and never embed production credentials in client-side code.
Treat 401 as an authentication failure and 403 as an access-scope or ownership failure.
Validate your integration against a non-production environment before sending live project data.

Authentication model
Minimum headers
Access isolation rules
Integration guidance