Pick auth by trust boundary, not convenience.

Callaro supports JWT, tenant API keys, partner API keys, and runtime server keys. The right choice depends on whether the caller acts for one tenant, many tenants, or internal runtime services.

JWT

Best for user-interactive operations in the Callaro app. Subject to app role and JWT-only controller guards.

Tenant API key

Best for server integrations that operate inside a single tenant and need explicit scope control.

Partner API key

Best for platform partners managing tenant provisioning and delegated operations across tenants.

Header patterns

JWT
Tenant API key
Partner API key

curl "https://api.callaro.ai/api/v1/agents" \
  -H "Authorization: Bearer $CALLARO_JWT"

curl "https://api.callaro.ai/api/v1/voice_sessions?page=1&per_page=25" \
  -H "X-Api-Key: $CALLARO_TENANT_API_KEY"

curl "https://api.callaro.ai/api/v1/partner/tenants" \
  -H "X-Partner-Api-Key: $CALLARO_PARTNER_API_KEY"

Decision table

Integration scenario	Recommended auth	Why
Internal operator using Callaro UI	JWT	Uses app session/role model and JWT-only guards.
Tenant backend sync job (CRM, BI, exports)	Tenant API key	Tenant-scoped, explicit least-privilege scopes.
Multi-tenant partner provisioning flow	Partner API key	Supports partner namespace and delegated tenant actions.
Runtime service-to-service internal call	Runtime server key	Server-only routes, not customer-issued API keys.

Scope model (source: API key permission matrix)

Scopes are granted per key and mapped to route families. Examples:

bulk_call_campaigns:read and bulk_call_campaigns:write
contacts:read and contacts:write
phone_numbers:read and phone_numbers:write
voice_sessions:read
billing:tenant:read and billing:partner:read

Some scopes are opt-in and intentionally excluded from defaults, including billing:partner:allocate and call_traces:admin_read.

`X-Tenant-Id` semantics

When using partner APIs that operate on behalf of a downstream tenant, include X-Tenant-Id when required by that route family to select the effective tenant context.

Do not use X-Tenant-Id to bypass scope restrictions. The effective action is still gated by partner key permissions and route-level authorization.

Least-privilege rollout pattern

Start with read-only scopes

Create a dedicated key for observability and dry-run operations first.

Add write scopes only for required route families

Split campaign write operations from billing or contact-compliance scopes to reduce blast radius.

Use separate keys per environment and workload

Keep sandbox and production keys isolated, and rotate keys tied to specific services.

Review keys quarterly

Remove stale scopes, revoke unused keys, and validate service ownership.

Empty or omitted scopes should not be treated as “allow all.” Use explicit scopes and audit them against the permissions matrix before go-live.

Getting Started

Core Concepts

Guides

Integrations

SDKs & Tools

Partner Integration Guide

Authentication

Pick auth by trust boundary, not convenience.

JWT

Tenant API key

Partner API key

Header patterns

Decision table

Scope model (source: API key permission matrix)

`X-Tenant-Id` semantics

Least-privilege rollout pattern

Getting Started

Core Concepts

Guides

Integrations

SDKs & Tools

Partner Integration Guide

​Pick auth by trust boundary, not convenience.

JWT

Tenant API key

Partner API key

​Header patterns

​Decision table

​Scope model (source: API key permission matrix)

​X-Tenant-Id semantics

​Least-privilege rollout pattern

Pick auth by trust boundary, not convenience.

Header patterns

Decision table

Scope model (source: API key permission matrix)

`X-Tenant-Id` semantics

Least-privilege rollout pattern