# Authentication

SeaGate is the public auth boundary for API keys, web sessions, and delegated runtime tokens.

## Credential types

API keys are best for server-side scripts, CI jobs, and third-party integrations. Web sessions are for the browser product. Delegated runtime tokens are issued for managed runtime sessions and should not be forged by clients.

Do not send provider keys to SeaRouter. Do not call internal service ports directly. Do not set `x-seaverse-*` identity headers yourself.


## Headers

`Authorization: Bearer <token>` is the preferred header. `x-api-key: <token>` is accepted for API key clients. `x-request-id` is recommended for stable retry/audit correlation.

```bash
curl https://seachat.ai/api/seagate/v1/capabilities?runtime=true \
  -H "Authorization: Bearer $SEACHAT_API_KEY" \
  -H "x-request-id: docs-quickstart-001"
```

## Scope model

Every proxied route maps to an access family such as read, write, or invoke. The capability catalog exposes accepted scopes and also accepts service-route scopes like `seagate:route:searouter` for trusted service clients.