API key (kt_live_...)
Your server’s bearer token. Present it on every request:
- Validated by Karta; org-scoped.
- Carries explicit fine-grained scopes such as
releases:writeorwebhooks:write. - Every authenticated request is checked against the org’s current budget state.
- Valid on both the flat
/v1/sessions/...family and the agent/{org}/{agent}/v1/...family.
Session token
A short-lived, agent-scoped signed token your backend mints for an end user’s browser. Present it the same way:- Pins
org_id,agent_id,agent_slug,scope,exp. - Valid only on the agent’s
consumer adapters - the Managed Agents API
and the OpenAI-compatible routes. The native
/{org}/{agent}/v1/sessionsroutes and the flat routes require an API key. - Verified by Karta without a network round-trip.
- Minting requires the org to be within budget: an over-budget org gets
402from the mint endpoint (see Errors).
Choosing the right credential
Route family matrix
Use an API key on servers and management routes. Use a session token only where
an end-user browser needs to drive a specific deployed agent.
Auth failures
See Errors for the full table.

