404, not 403, so the URL space does not reveal whether
another organization’s id exists.
The tenancy stack
In the hosted product, isolation nests at three levels, each with a different credential at its boundary:user_id or end_user_id; Karta keys the karta on it but never treats
the string as an authorization decision by itself. For virtual employees or
backend jobs, your backend supplies a trusted agent_instance_id instead.
Format and granularity are your contract.
See
Kartas & memory.
What isolation does and does not guarantee
These boundaries do not replace your own application authorization. If an agent
tool calls your backend, your backend still decides what that user, role, or job
can read or change. For prompt-injection and tool-risk review, see the
Security model.
Browser tokens
Browser traffic should never carry akt_live_... API key. Use one of these
instead:
Both paths still resolve to the same organization-scoped session model.

