The header

Every request — to a gateway or to a backend service — carries the same header:

Authorization: Bearer <your-api-key>

That’s it. There is no separate session cookie, no signed payload, and no per-request HMAC.

Where keys come from

API keys are issued per organization. To request one, email hello@epcstudio.io with:

• Your organization name
• The intended use case (what you’re building, roughly)
• Whether you want a sandbox key (rate-limited, isolated) or a production key

Sandbox keys are free for evaluation. Production keys are issued per contract.

Scoping

A single key authenticates you to:

• The conversational gateways (/api, /api/ug)
• The engineering services that gateway calls under the hood
• The MCP servers, if you choose to call tools directly via the MCP protocol

Keys can be scoped down on request — e.g. read-only, parse-only, or per-utility tenant.

Treat keys like passwords

Keys grant access to your organization’s data and your billing meter. Don’t:

• Commit keys to source control
• Embed keys in browser-side JavaScript
• Share keys across organizations

Do:

• Store keys in your secret manager (Google Secret Manager, AWS Secrets Manager, Doppler, etc.)
• Rotate keys when team members leave
• Use separate keys for sandbox and production environments

Rotating a key

Email hello@epcstudio.io with the key fingerprint (the first 8 characters of the key plus the issue date) and we’ll issue a new key and revoke the old one. Self-service rotation is on the roadmap.

Errors

If a request is unauthenticated or the key is invalid, the service returns:

{
  "error": "unauthorized",
  "message": "missing or invalid bearer token"
}

with a 401 status code. The gateway streams the same shape inside an SSE error event.