Authentication
Every tenant-scoped request carries:
| Header | Required | Notes |
|---|---|---|
Authorization | yes | Bearer <JWT> ? Ed25519, 15-min TTL |
X-Tenant-Id | yes | Must match JWT tid; mismatch ? 403 authz.tenant_not_a_member |
Idempotency-Key | yes (POST/PUT/PATCH) | ULID; stored 24h |
traceparent | yes | W3C; gateway generates if missing |
Accept-Language | recommended | BCP-47 |
If-Match | required on optimistic-concurrency writes | Missing ? 428, mismatch ? 412 |
curl -X GET https://api.ghasi.io/api/v1/courses?cursor=eyJ2IjoxfQ \
-H 'Authorization: Bearer <jwt>' \
-H 'X-Tenant-Id: ten_01J…' \
-H 'Accept-Language: en'