User sessions
Users sign in once at EthanKit and use that session across the console and product surfaces. Products should delegate account-level authentication back to the platform.
Product integrations
Product integrations call the API with an EthanKit API key (ek_live_…) sent as Authorization: Bearer <key>. Optionally identify the calling product with the x-ethankit-client header for usage attribution; it is a label only and does not affect authentication or model access. First-party EthanKit products may additionally use the OAuth/OIDC sign-in flow (Google, GitHub, or email) for user-level access. Keep API keys revocable and rotate them regularly.
Operational notes
- Rotate API keys on a regular schedule
- Revoke inactive sessions when users change sensitive settings
- Keep audit events tied to both the user and the API key