Public docs

Guide: Auth + Workspace Scopes

How workspace headers, roles, and auth modes are enforced.

Session/Hybrid: browser routes use secure session cookies with workspace context.
Token/Hybrid: automation tools use bearer tokens and explicit workspace headers.
Protected endpoints require both valid auth and role membership in target workspace.
Docs Try-It displays required roles from route metadata before execution.
MFA: when enabled per user, password/OAuth sign-in issues a second-step challenge before session issuance.
Trusted devices: remembered device cookie can bypass MFA until expiry/revocation.
Automation compatibility: API tokens and MCP service-account tokens remain outside MFA prompts.

Last updated

Mar 24, 2026

Feedback

Report unclear guidance, stale contracts, missing coverage, or broken docs UI on this page.

Last updated

Mar 24, 2026

Feedback

Report unclear guidance, stale contracts, missing coverage, or broken docs UI on this page.

Public docs

How workspace headers, roles, and auth modes are enforced.

Session/Hybrid: browser routes use secure session cookies with workspace context.
Token/Hybrid: automation tools use bearer tokens and explicit workspace headers.
Protected endpoints require both valid auth and role membership in target workspace.
Docs Try-It displays required roles from route metadata before execution.
MFA: when enabled per user, password/OAuth sign-in issues a second-step challenge before session issuance.
Trusted devices: remembered device cookie can bypass MFA until expiry/revocation.
Automation compatibility: API tokens and MCP service-account tokens remain outside MFA prompts.

Last updated

Mar 24, 2026

Feedback

Report unclear guidance, stale contracts, missing coverage, or broken docs UI on this page.

Last updated

Mar 24, 2026

Feedback

Report unclear guidance, stale contracts, missing coverage, or broken docs UI on this page.