A session token is how an end user’s browser reaches a Karta project safely. ADocumentation Index
Fetch the complete documentation index at: https://docs.karta.sh/llms.txt
Use this file to discover all available pages before exploring further.
kt_live_… key is an org-wide management credential and must never ship to a
client. Instead, your backend mints a short-lived, project-scoped JWT per
authenticated end user, and the widget presents that.
This is the standard “ephemeral client secret” pattern: the long-lived secret
stays on your server; a narrow, expiring token reaches the browser.
The flow
Your backend mints a token
After your own auth confirms the user, call the mint endpoint with your
kt_live_… key. You get back an HS256 JWT scoped to one org + project, with
a short TTL (~15 min).The widget uses it
The browser presents the session token to the project’s consumer endpoints
— create a session, send, stream. It can be used on the
/v1/projects/{ref}/… routes and the
consumer adapters, but not on the
flat /v1/sessions management routes.What the token pins
The minted JWT pinsorg_id, project_id, project_slug, scope, and exp.
Because org and project are pinned, cross-tenant access is blocked: a token
for one project can’t touch another.
Per-user binding is a decided, not-yet-implemented hardening. Today the
token does not bind the specific end user, so cross-user isolation within an
org currently rests on your integration discipline (the
user_id you put in
session metadata). The decision is to add a sub = user_id claim and enforce
metadata.user_id == claims.sub at session-create time, turning per-user
isolation into a platform guarantee. Until then, mint one token per
authenticated user and set the matching user_id yourself.