API Authentication

API Authentication

Two Auth Methods

1. API Key (server-to-server, probes, CLI)

curl https://govern-api.ben-c1f.workers.dev/api/govern/systems \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "X-Govern-Org-Id: YOUR_ORG_ID"

2. Supabase JWT (browser, govern-app)

const { data: { session } } = await supabase.auth.getSession();
fetch(url, {
  headers: {
    Authorization: `Bearer ${session.access_token}`,
    "X-Govern-Org-Id": orgId,
  },
});

Org Scoping

Every request requires X-Govern-Org-Id header. The API verifies the user/key belongs to that org before returning data. Org isolation is enforced at both API and database (RLS) levels.

Rate Limits

Plan	Requests/min	Concurrent
Starter	60	5
Professional	600	50
Enterprise	6000	500