Authentication

All three API surfaces use API keys, but the scoping and identity model differs per surface.

Channel API Authentication

Authenticates as a user or on behalf of a user. The credentials you provide map to a platform user identity. All interactions are governed by that user's permissions, team memberships, and org policies.

``http Authorization: Bearer YOUR_API_KEY X-Channel-User-Id: usr_01hx... ``

The X-Channel-User-Id header identifies the end user on whose behalf the message is being sent. This identity is used for cost attribution and governance evaluation.

Platform API Authentication

Authenticates as an organisation or service account. API keys are scoped to specific organisations, teams, or agents. Operations are governed by the role associated with the key.

``http Authorization: Bearer YOUR_API_KEY ``

Platform API keys are prefixed with tpk_ (team platform key) or opk_ (org platform key). The scope is determined at key creation time.

Integration API Authentication

Authenticates as an external system. Registration requires organisational approval. Execution credentials are scoped to specific tool definitions.

When Thinklio calls your registered tool endpoint, it includes a signature header you can use to verify the request originated from Thinklio:

``http X-Thinklio-Signature: sha256=... X-Thinklio-Timestamp: 1710000000 ``

When your system calls Thinklio, use a standard API key with tool-specific scoping.

Key Management

API keys are managed through the Thinklio dashboard under Settings → API Keys. Keys can be scoped, rotated, and revoked independently. Rotate keys regularly and never commit them to source control.