Auth and scopes

Auth modes

• Read-only discovery surfaces are public.
• Transactional endpoints require scoped credentials.

Common scopes

• search.read
• stats.read
• feeds.read
• mcp.read
• quote.write, quote.read
• checkout.write, checkout.read

Headers

• API key: x-api-key: <key>
• Bearer (where configured): Authorization: Bearer <token>

For write endpoints, include:

• Idempotency-Key: <unique-key>