Authentication
API requests authenticate with a Bearer token issued from your tenant settings. Tokens are scoped per tenant and per role.
01
Bearer token
- Generate from Settings → API keys (admin only).
- Include in every request: `Authorization: Bearer <token>`.
- Tokens are revocable; rotate them at least every 90 days.
02
Cookie sessions
- The web app uses an httpOnly cookie session for browser users.
- Sessions expire after 7 days of inactivity.
- Same-site policy is `Lax` to prevent CSRF on cross-origin POSTs.