> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sidenet.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate requests and scope them to an organization.

## Bearer token

All custom routes — except the Composio OAuth callback (`GET /composio/callback`)
— require a bearer token. Send it in the `Authorization` header:

```bash theme={null}
curl https://sidenet-api.up.railway.app/api/v1/threads \
  -H "Authorization: Bearer YOUR_API_KEY"
```

In the [API Reference](/api-reference) "Try it" panel, paste your token into the
**Authorization** field and it is sent automatically.

## Organization context

Requests are scoped to an organization. The org is resolved in this order:

1. The organization bound to your API key (preferred — nothing extra to send).
2. The `X-Organization-Id` header, when you need to act on a specific org.

```bash theme={null}
curl https://sidenet-api.up.railway.app/api/messages?threadId=THREAD_ID \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "X-Organization-Id: YOUR_ORG_ID"
```

## User identity

Endpoints that read or write user-scoped data (threads, messages, memory) also
need to know which end user the request is for. Send the `X-User-Id` header;
user-scoped resources resolve to `{orgId}_{userId}`:

```bash theme={null}
curl https://sidenet-api.up.railway.app/api/v1/threads \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "X-Organization-Id: YOUR_ORG_ID" \
  -H "X-User-Id: END_USER_ID"
```

A `userId` query param (or body field, where documented) is accepted as a
fallback.

<Note>
  Both headers are listed on each endpoint's reference page, along with any
  endpoint-specific requirements — e.g. `POST /v1/experiments` requires both
  `X-Organization-Id` and `X-User-Id`.
</Note>

## Errors

| Status | Meaning                                                                       |
| ------ | ----------------------------------------------------------------------------- |
| `401`  | Missing or invalid bearer token.                                              |
| `403`  | Token is valid but not authorized for the requested organization or resource. |
| `429`  | Usage limit reached for the organization.                                     |
