Guide: Auth + Workspace Scopes

How workspace headers, roles, and auth modes are enforced.

Session/Hybrid: browser routes use secure session cookies with workspace context.
Token/Hybrid: automation tools use bearer tokens and explicit workspace headers.
Protected endpoints require both valid auth and role membership in target workspace.
Docs Try-It displays required roles from route metadata before execution.
MFA: when enabled per user, password/OAuth sign-in issues a second-step challenge before session issuance.
Trusted devices: remembered device cookie can bypass MFA until expiry/revocation.
Automation compatibility: API tokens and MCP service-account tokens remain outside MFA prompts.