Skip to main content
OrgX uses different authentication mechanisms for each public integration surface.
SurfaceAuth methodCredential
REST Public PreviewAPI keyAuthorization: Bearer oxk_...
Hosted MCPOAuth 2.1 with PKCEClient-managed access token
WebhooksHMAC signatureX-OrgX-Signature

REST API Keys

REST Public Preview endpoints use user-scoped API keys. API keys begin with oxk_ and inherit the workspace access of the user who created them. 
curl https://useorgx.com/api/client/bootstrap \
  -H "Authorization: Bearer $ORGX_API_KEY" \
  -H "Accept: application/json"
API keys are secrets. Do not expose them in browser code, public repositories, logs, screenshots, or client-side bundles.

Create an API Key

  1. Sign in to OrgX.
  2. Open Settings.
  3. Find OrgX API keys.
  4. Generate a key for the integration or sandbox workspace.
  5. Store the full key immediately. OrgX only shows it once.
The settings UI lists each key prefix, name, creation time, and last-used time. Revoke keys from the same settings area when an integration is retired.

Request Headers

HeaderRequiredDescription
AuthorizationYesBearer oxk_...
AcceptRecommendedapplication/json
Content-TypeRequired for JSON bodiesapplication/json
OrgX-VersionOptional preview conventionContract date for integrations that pin a documented preview version, for example 2026-04-29
Idempotency-KeyWhen documented by the endpointUnique key for retryable writes with server-side idempotency support

Workspace Scope

Every API key resolves to a user and workspace context. Route handlers enforce that callers only read or write accessible resources. Do not pass arbitrary user_id values in requests. API-key requests use the authenticated identity, not a caller-provided identity.

Failed Authentication

Missing, revoked, malformed, or invalid keys return 401. 
{
  "error": "Unauthorized",
  "message": "Valid API key required. Get your key from OrgX settings."
}

MCP OAuth

The hosted MCP server uses OAuth 2.1 with browser-based authorization and PKCE. Remote MCP clients discover the auth server through protected-resource metadata and manage token refresh automatically. 
https://mcp.useorgx.com/mcp
Use MCP OAuth for AI clients and MCP Apps. Use REST API keys for server-side system integrations and local runtime bridges.