API

Authentication

How Everyn API clients authenticate, select organizations, and use scopes.

Everyn product API calls use organization-owned API keys. A machine key selects exactly one organization, so product routes derive tenant context from the bearer credential instead of trusting caller-supplied organization identifiers.

Authentication model

Use the standard bearer header for machine/API-key calls:

Authorization: Bearer sk-everyn-...

Product API keys are machine principals. They can call product surfaces such as datasets, job specs, runs, exports, alert rules, and webhooks, but they cannot manage organizations, members, invitations, audit events, or API keys.

Implemented machine-key scopes:

ScopeUsed for
datasets:read / datasets:writeDataset reads and dataset upload intake.
job_specs:read / job_specs:writeModel catalog reads and job spec management.
runs:read / runs:writeRun creation, start, cancel, retry, inspection, rows, outputs, and failures.
exports:read / exports:writeExport creation, polling, listing, and download.
alert_rules:read / alert_rules:writeAlert rules and alert delivery inspection.
webhooks:read / webhooks:writeWebhook endpoints, secret rotation, tests, and delivery inspection.

Common auth outcomes:

StatusMeaningNext step
401 authentication_failedMissing, malformed, unknown, revoked, or expired credential.Replace the bearer credential.
403 authorization_failedCredential is valid but lacks the required scope or role.Use a credential with the required scope or admin role.
404 not_foundResource does not exist for the authenticated organization.Verify the ID belongs to the same organization before retrying.

Use API errors for recovery patterns and generated reference for endpoint-level auth requirements.