Authentication
How to authenticate against the 42A API.
All requests include an Authorization: Bearer <key> header. Keys are issued from your 42A dashboard and verified server-side.
Org keys vs user keys
| Org key | User key | |
|---|---|---|
| Subject | org_xxx | user_xxx |
| Org context | Implicit (single org) | Chosen per request via X-Org-Id |
| Best for | Backend integrations | Power users / agencies managing multiple orgs |
For an org key, every request acts on the bound organization. For a user key, you must include X-Org-Id: org_xxx on any org-scoped endpoint:
curl -H "Authorization: Bearer ck_live_..." \
-H "X-Org-Id: org_2abcde" \
https://api.42a.ai/api/v1/projectsconst res = await fetch("https://api.42a.ai/api/v1/projects", {
headers: {
Authorization: "Bearer ck_live_...",
"X-Org-Id": "org_2abcde",
},
});
console.log(await res.json());import requests
res = requests.get(
"https://api.42a.ai/api/v1/projects",
headers={
"Authorization": "Bearer ck_live_...",
"X-Org-Id": "org_2abcde",
},
)
print(res.json())If you forget the header on a user key, you'll get:
{
"error": {
"code": "org_required",
"message": "X-Org-Id header is required.",
"request_id": "..."
}
}GET /api/v1/organizations and GET /api/v1/me work without X-Org-Id - call them to discover which orgs your key can act on.
Errors
Every error response uses a stable shape with a machine-readable code:
{
"error": {
"code": "<code>",
"message": "...",
"request_id": "..."
}
}code | HTTP | Meaning |
|---|---|---|
unauthorized | 401 | Missing or invalid bearer token |
forbidden | 403 | Authenticated but not allowed (wrong org, etc.) |
org_required | 400 | User key needs X-Org-Id for this endpoint |
not_found | 404 | Resource doesn't exist or isn't in your org |
invalid_filter | 400 | Unrecognized or unsupported filter combination |
bad_request | 400 | Malformed query parameter |
rate_limited | 429 | Per-key rate limit exceeded |
internal_error | 5xx | Something went wrong on our side |
Rate limits
Per-key starting limits (subject to change as we tune):
- 60 requests / minute (token bucket, capacity 120)
- 10,000 requests / day
When throttled you'll get a 429 with Retry-After, X-RateLimit-Remaining, and X-RateLimit-Reset headers.
Rotating keys
Revoke a key from Settings → API keys in the dashboard. The next request using that key returns 401 - there is no warning period and no recovery.
Last updated