> ## Documentation Index
> Fetch the complete documentation index at: https://docs.manthan.systems/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How the Parmana API authenticates requests

<Warning>
  **Discrepancy between specification and implementation.** `openapi/openapi.yaml` declares a `BearerAuth` (JWT) security scheme applied globally to all operations. As of this monorepo snapshot, `packages/api/src/routes/` and `packages/api/src/middleware/` contain no authentication middleware — no bearer token or API key check is enforced by the running server. Do not treat the local/dev server as safe to expose without adding your own authentication layer in front of it.
</Warning>

## Specified scheme (OpenAPI)

```yaml theme={null}
securitySchemes:
  BearerAuth:
    type: http
    scheme: bearer
    bearerFormat: JWT
security:
  - BearerAuth: []
```

The intent, per the specification, is a bearer token on every request:

```bash theme={null}
curl http://localhost:3000/execute \
  -H "Authorization: Bearer <token>"
```

Both SDKs already model this: TypeScript's `Configuration.credentials` accepts an `AuthenticationScheme.BEARER_TOKEN` or `AuthenticationScheme.API_KEY` value (see [TypeScript SDK → Configuration](/docs/typescript-sdk/installation#configuration)), even though the server does not yet validate it.

## What to do today

If you're deploying this server outside of local development, put an authenticating reverse proxy or gateway in front of it until server-side auth middleware lands, and track `packages/api/src/middleware/` for when that changes.
