Skip to main content

Authentication

Production requests use the X-API-Key header.
X-API-Key: your-api-key
The API hashes the provided key and looks it up in the database-backed api_keys table. The matching row determines the effective organization for template and generation access.

Local development fallback

In development or test mode, the API also accepts X-Org-Name when no API key is provided.
X-Org-Name: example_org
This is only a local convenience path. Production deployments should use X-API-Key.

Request behavior

  • Invalid keys return 403
  • Missing auth returns 401
  • Organization mismatches return 403