Skip to main content
Karta runs as a shared service with auth-enforced organization scoping. Access is default-deny: an API key scoped to org A cannot touch org B’s sessions, even by guessing session ids.
Every session lookup is checked against the caller’s organization. A cross-org lookup returns 404, not 403, so the URL space does not reveal whether another organization’s id exists.

The tenancy stack

In the hosted product, isolation nests at three levels, each with a different credential at its boundary:
Each session also runs in its own isolated runtime environment, so the boundary is enforced while code executes as well as in ownership records. The org to karta / acting-user boundary is enforced by the credential, the session owner, and the karta id. For per-user kartas, your app supplies an opaque user_id or end_user_id; Karta keys the karta on it but never treats the string as an authorization decision by itself. For virtual employees or backend jobs, your backend supplies a trusted agent_instance_id instead. Format and granularity are your contract. See Kartas & memory.

What isolation does and does not guarantee

These boundaries do not replace your own application authorization. If an agent tool calls your backend, your backend still decides what that user, role, or job can read or change. For prompt-injection and tool-risk review, see the Security model.

Browser tokens

Browser traffic should never carry a kt_live_... API key. Use one of these instead: Both paths still resolve to the same organization-scoped session model.