Skip to main content
Protected routes require both endpoint authorization and organization authorization. Evaluating the API? Create a free personal key from the developer dashboard. Sign in with an email magic link and the key comes with the right grants already set. Agents can mint the same key without the dashboard: start an email OTP, verify the 6-digit code, then call POST /api-keys with the returned session token. A free personal key needs no organization or endpoint claims on the session token; the issued key carries them. The exact sequence is in Connect your agent and in the auth.self_serve_key block of GET /.well-known/health-agent.json.

Required token fields

RequirementAccepted claim names
User identitysub, plus route body user_id matching access rules
Organization accessorganization_id, org_id, organization_ids, org_ids, allowed_organizations, or the same fields under app_metadata
Endpoint grantshealth_enabled_endpoints, enabled_endpoints, or allowed_endpoints

Endpoint grant examples

{
  "organization_id": "org_001",
  "enabled_endpoints": [
    "imports.file",
    "biomarkers.derive",
    "biomarkers.analyze",
    "wearables.analyze",
    "genetics.analyze",
    "analyses.create",
    "analyses.read",
    "analyses.list",
    "analyses.recommendations.read",
    "sources.list",
    "sources.read",
    "trends.read",
    "dashboard_specs.read",
    "genetics.jobs.read",
    "connections.sync"
  ]
}
Use canonical dotted IDs in generated keys and service tokens. Grant analyses.create only when the product intentionally combines modalities.