Authorization header. The key identifies your organization, the actor (API key or user), and the role the key was created under.
Generate a key
Create a key from the dashboard at Settings → API keys. The token is shown once — copy it into a secrets manager immediately. See Create and manage API keys for the full flow, token format, and revocation steps.Send the key
Pass the token in theAuthorization header on every request:
curl example against the org endpoint:
GET /org as a smoke test for any new key or environment.
Roles and required permissions
The role frozen at API key creation time is enforced on every request. Read endpoints are open to all roles; write endpoints (create, update, archive, dispatch) requireeditor, admin, or owner.
| Surface | Read | Write |
|---|---|---|
/org | any role | — |
/mcp-servers | any role | editor, admin, owner |
/workflows | any role | editor, admin, owner |
/workflows/{id}/runs (dispatch) | — | editor, admin, owner |
/runs | any role | — |
/insights/* | any role with the feature enabled | editor, admin, owner (topic edits) |
403 with error.code = forbidden_role. To change a key’s role, revoke it and create a new key under the desired role.
Authentication failures
| Status | Cause | Fix |
|---|---|---|
401 unauthenticated | Missing, malformed, or revoked token | Verify the Authorization header and check the key list in Settings → API keys. |
403 forbidden_role | The key’s role is too low for this operation | Use a key created under a higher role. |
403 feature_disabled | The endpoint depends on a feature that is not enabled for your organization (most often MCP Analytics for /insights/*) | Enable the feature from the dashboard or contact your admin. |