Two options. Use whichever fits your runtime.

• Session cookie

  — Requests originating from a *.sessions.website host carry the auth cookie automatically. Pass credentials:'include' when calling from JavaScript.

• Bearer token

  — Send Authorization: Bearer <jwt> for server-to-server flows, e2e tests, and embed-scoped sign-ins.

• MCP (AI assistants)

  — The public MCP server at /api/mcp gives AI assistants task-shaped tools. Discovery is anonymous; viewer tools (your registrations) use the session cookie, a Bearer JWT, or an OAuth access token scoped mcp:account obtained over the MCP OAuth flow. See the Agents page and /build/agents/mcp.json.

Authorization: Bearer <your-jwt>