Foundations

All /public/v1/* requests require a Bearer access token minted for a marketplace app install. The token carries the tenant scope (org + entity) and the granted scopes.

Scopes are granted at install time. Each route checks a required scope before executing — missing scopes return 403 insufficient_scope.

Default 120 requests per 60 seconds per (clientId, install). Per-app overrides are configurable. Exceeding the limit returns 429 rate_limited.

Every error response is JSON with an `error` machine code and a human-readable `message`. Some include extra fields like `required` (scopes) or `ticket` (not_implemented).

Your token is scoped to exactly one (org, entity). Any URL with a different :orgId or :entityId returns 403 tenant_scope_violation — even if you have a token for the other tenant.