Bearer token
All custom routes — except the Composio OAuth callback (GET /composio/callback)
— require a bearer token. Send it in the Authorization header:
Organization context
Requests are scoped to an organization. The org is resolved in this order:- The organization bound to your API key (preferred — nothing extra to send).
- The
X-Organization-Idheader, when you need to act on a specific org.
User identity
Endpoints that read or write user-scoped data (threads, messages, memory) also need to know which end user the request is for. Send theX-User-Id header;
user-scoped resources resolve to {orgId}_{userId}:
userId query param (or body field, where documented) is accepted as a
fallback.
Both headers are listed on each endpoint’s reference page, along with any
endpoint-specific requirements — e.g.
POST /v1/experiments requires both
X-Organization-Id and X-User-Id.Errors
| Status | Meaning |
|---|---|
401 | Missing or invalid bearer token. |
403 | Token is valid but not authorized for the requested organization or resource. |
429 | Usage limit reached for the organization. |
