Protected routes accept Authorization: Bearer <token>.
cURL
curl -sS https://api.orgs.sh/v1/entities \
  -H "authorization: Bearer $ORGS_API_KEY"

Credential formats

The API currently accepts two bearer credential formats:
Opaque account API key. The server hashes the presented token with BLAKE3 and looks it up against stored account records.
Authorization
string
required
Bearer token. Missing headers return 401.

Public routes

Health

GET /health is public and does not call the auth layer.

Create account

POST /v1/accounts bootstraps account access and returns a raw API key once.

Protected routes

Entity, proposal, formation, and billing read/upgrade routes require bearer auth. Ownership is enforced at the account boundary. Cross-account entity reads return 404 rather than 403 to prevent enumeration.
Agents should never place API keys in prompts, source code, logs, saved transcripts, or long-term memory. Use runtime secret injection.