The data plane recognizes three credential types, each resolving to a Principal that carries the org id, scopes, and budget status.Documentation Index
Fetch the complete documentation index at: https://docs.karta.sh/llms.txt
Use this file to discover all available pages before exploring further.
API key (kt_live_…)
Your server’s bearer token. Present it on every request:
- Validated against the control plane (cached ~5s); org-scoped.
- Carries scopes (
read,write,admin) and abudget_okflag. - Valid on both the flat
/v1/sessions/…family and the project/v1/projects/{ref}/…family.
Session token (JWT)
A short-lived, project-scoped HS256 JWT your backend mints for an end user’s browser. Present it the same way:- Pins
org_id,project_id,project_slug,scope,exp. - Valid only on the project
/v1/projects/{ref}/…family and the consumer adapters — not the flat routes. - Verified offline by the data plane (no control-plane round trip).
Service token (internal only)
A shared bearer used by the control plane for/v1/internal/* endpoints,
defended by IP and Host allowlists. Not part of the public API; never held by a
customer.
Choosing the right credential
| Caller | Credential | Routes |
|---|---|---|
| Your backend | kt_live_… API key | flat + project |
| An end user’s browser/widget | session token | project + adapters |
| The control plane | service token | internal only |
Auth failures
| Status | Meaning |
|---|---|
401 | Missing or invalid credential. |
403 | Valid token, wrong project (a session token scoped elsewhere). |
404 | Resource not found or belongs to another org (default-deny). |
402 | Authenticated, but the org’s budget is exhausted. |