Authentication

API keys are best for server-side scripts, CI jobs, and third-party integrations. Web sessions are for the browser product. Delegated runtime tokens are issued for managed runtime sessions and should not be forged by clients.

Do not send provider keys to SeaRouter. Do not call internal service ports directly. Do not set x-seaverse-* identity headers yourself.

Authorization: Bearer <token> is the preferred header. x-api-key: <token> is accepted for API key clients. x-request-id is recommended for stable retry/audit correlation.

curl https://seachat.ai/api/seagate/v1/capabilities?runtime=true \
  -H "Authorization: Bearer $SEACHAT_API_KEY" \
  -H "x-request-id: docs-quickstart-001"

Every proxied route maps to an access family such as read, write, or invoke. The capability catalog exposes accepted scopes and also accepts service-route scopes like seagate:route:searouter for trusted service clients.