Authentication

All API requests require a Bearer token in the Authorization header:

Authorization: Bearer <token>

Authentication methods

OAuth 2.0

The API supports OAuth 2.0 with JWT access tokens issued by the Erna authorization server. Authorization server:

https://auth.erna.ai

API keys

API keys are supported for server-to-server integrations. Send the key as a Bearer token.

Product scopes

For launch, the product scopes are:

runs:read
runs:write

Pipeline creation and pipeline runs require both runs:write and runs:read because creation responses return persistent IDs that callers are expected to poll or inspect afterward.

Scope	Required for
`runs:write` + `runs:read`	`POST /v1/workspaces/{workspaceId}/pipelines`
`runs:write` + `runs:read`	`POST /v1/workspaces/{workspaceId}/pipelines/{pipelineId}/runs`
`runs:read`	`GET /v1/workspaces/{workspaceId}/pipelines` and related read APIs
`runs:read`	`GET /v1/runs/{runId}`

Most integrations only need these run scopes.

Protected Resource Metadata

The API publishes an RFC 9728 Protected Resource Metadata document at:

GET /.well-known/oauth-protected-resource

This tells OAuth clients which authorization server to use and which scopes are available.

Credits

Schedule generation via POST /v1/workspaces/{workspaceId}/pipelines/{pipelineId}/runs consumes credits. Credits are reserved when the run starts and finalized when the run completes. If you have insufficient credits, the API returns 402 with a checkout hint that points at POST /v1/billing/checkout.

​Authentication methods

​OAuth 2.0

​API keys

​Product scopes

​Protected Resource Metadata

​Credits