POST /api-keys with the returned session token.
A free personal key needs no organization or endpoint claims on the session
token; the issued key carries them. The exact sequence is in
Connect your agent and in the auth.self_serve_key
block of GET /.well-known/health-agent.json.
Required token fields
| Requirement | Accepted claim names |
|---|---|
| User identity | sub, plus route body user_id matching access rules |
| Organization access | organization_id, org_id, organization_ids, org_ids, allowed_organizations, or the same fields under app_metadata |
| Endpoint grants | health_enabled_endpoints, enabled_endpoints, or allowed_endpoints |
Endpoint grant examples
analyses.create only when the product intentionally combines modalities.