Authentication

All endpoints require App authentication via two headers.

Header	Description
X-App-ID	Your application identifier. Alphanumeric, underscore, hyphen; max 64 chars.
X-API-Key	API key for your application. Validated via constant-time comparison.

Session ownership

Acting on a session requires that the session exists and its app_id matches your X-App-ID. Otherwise you receive:

• 404 Not Found — the session does not exist.
• 403 Forbidden — the session exists but belongs to another app.

Note

The gateway never reveals whether a session belongs to a different app beyond the 403 status — error bodies never leak internal identifiers.