Skip to main content
Karta recognizes two credential types. Each one resolves to an org, a set of scopes, and the current budget status.

API key (kt_live_...)

Your server’s bearer token. Present it on every request:
  • Validated by Karta; org-scoped.
  • Carries explicit fine-grained scopes such as releases:write or webhooks:write.
  • Every authenticated request is checked against the org’s current budget state.
  • Valid on both the flat /v1/sessions/... family and the agent /{org}/{agent}/v1/... family.
See API keys for shape, scopes, and storage.

Session token

A short-lived, agent-scoped signed token your backend mints for an end user’s browser. Present it the same way:
  • Pins org_id, agent_id, agent_slug, scope, exp.
  • Valid only on the agent’s consumer adapters - the Managed Agents API and the OpenAI-compatible routes. The native /{org}/{agent}/v1/sessions routes and the flat routes require an API key.
  • Verified by Karta without a network round-trip.
  • Minting requires the org to be within budget: an over-budget org gets 402 from the mint endpoint (see Errors).
See Session tokens for the mint-and-use flow.

Choosing the right credential

Route family matrix

Use an API key on servers and management routes. Use a session token only where an end-user browser needs to drive a specific deployed agent.
Never ship a kt_live_... key to a browser or mobile client. It is a server credential that may carry broad org authority. Mint a session token server-side for the edge instead.

Auth failures

See Errors for the full table.