42ADocs

Authentication

How to authenticate against the 42A API.

All requests include an Authorization: Bearer <key> header. Keys are issued from your 42A dashboard and verified server-side.

Org keys vs user keys

Org keyUser key
Subjectorg_xxxuser_xxx
Org contextImplicit (single org)Chosen per request via X-Org-Id
Best forBackend integrationsPower users / agencies managing multiple orgs

For an org key, every request acts on the bound organization. For a user key, you must include X-Org-Id: org_xxx on any org-scoped endpoint:

curl -H "Authorization: Bearer ck_live_..." \
     -H "X-Org-Id: org_2abcde" \
     https://api.42a.ai/api/v1/projects
const res = await fetch("https://api.42a.ai/api/v1/projects", {
  headers: {
    Authorization: "Bearer ck_live_...",
    "X-Org-Id": "org_2abcde",
  },
});
console.log(await res.json());
import requests

res = requests.get(
    "https://api.42a.ai/api/v1/projects",
    headers={
        "Authorization": "Bearer ck_live_...",
        "X-Org-Id": "org_2abcde",
    },
)
print(res.json())

If you forget the header on a user key, you'll get:

{
  "error": {
    "code": "org_required",
    "message": "X-Org-Id header is required.",
    "request_id": "..."
  }
}

GET /api/v1/organizations and GET /api/v1/me work without X-Org-Id - call them to discover which orgs your key can act on.

Errors

Every error response uses a stable shape with a machine-readable code:

{
  "error": {
    "code": "<code>",
    "message": "...",
    "request_id": "..."
  }
}
codeHTTPMeaning
unauthorized401Missing or invalid bearer token
forbidden403Authenticated but not allowed (wrong org, etc.)
org_required400User key needs X-Org-Id for this endpoint
not_found404Resource doesn't exist or isn't in your org
invalid_filter400Unrecognized or unsupported filter combination
bad_request400Malformed query parameter
rate_limited429Per-key rate limit exceeded
internal_error5xxSomething went wrong on our side

Rate limits

Per-key starting limits (subject to change as we tune):

  • 60 requests / minute (token bucket, capacity 120)
  • 10,000 requests / day

When throttled you'll get a 429 with Retry-After, X-RateLimit-Remaining, and X-RateLimit-Reset headers.

Rotating keys

Revoke a key from Settings → API keys in the dashboard. The next request using that key returns 401 - there is no warning period and no recovery.

Last updated