PAT · OAuth 2.1 · Session

Authentication.

Projekt accepts three credential types on the same API surface. Which one you want depends on whether a human is in the loop, whether a third-party agent needs scoped access, and how long you need the credential to live.

Pick one#

Mode	Best for	Lifetime	Identity	Setup
Personal Access Token pjk_live_…	Claude, Codex, CI scripts, cron jobs, your own backend talking to Projekt.	Until revoked (optional expiry).	Acts as the human who minted it. Bound to ONE org.	Click "Create API key" in Integraciones.
OAuth 2.1 + DCR	Third-party SaaS that lets the user sign in with Projekt and pick which org/scopes to grant. Used by claude.ai's MCP connector.	Access tokens 1h, refresh tokens long-lived.	Acts as the user. Bound to one org via RFC 8707 resource binding.	POST `/oauth/register` (RFC 7591) then standard authorization-code + PKCE.
Browser session	The Projekt web app itself. Not something you build against.	30 days, refresh-on-use.	The signed-in user.	Sign in.

If in doubt, use a PAT

Personal Access Tokens are the right answer for almost every server-to-server integration. Reach for OAuth only if you are building a multi-tenant app and the user needs to grant your tool access without sharing a long-lived secret.

Personal Access Tokens#

Minting a key#

Sign in to Projekt.
Open Organization → Settings → General → Integraciones.
Click Create API key, give it a descriptive name (e.g. Claude desktop, CI deploy, nightly-backup), optionally set an expiry, and confirm.
Copy the plaintext token. It is shown exactly once.

The token is hashed (SHA-256) before being stored, the same pattern Projekt uses for browser sessions and OAuth access tokens. There is no "recover key" flow: lose it, revoke it, mint a new one.

You can have up to 20 active keys per user per org. Revoke unused ones.

Using the key#

curl https://projekt.3xa.es/api/projects \
  -H "Authorization: Bearer pjk_live_..." \
  -H "X-Org-Id: <ORG_ID>"

Two headers carry everything Projekt needs:

Authorization: Bearer pjk_live_… — the token itself. If your proxy strips Authorization, fall back to X-Auth-Token: pjk_live_…; the server accepts both.
X-Org-Id: <uuid> — which org context to use. For PATs this is optional (the key already knows its org), but sending it is fine. If you do send it, it MUST match the key's bound org — Projekt rejects mismatches with 403 to block scope-creep.

Scope and permissions#

A PAT is bound to exactly one organization at mint time. The endpoints /orgs, /me/orgs, /people/search, and /palette/search are filtered to that org for PAT callers — they will not surface data from other orgs the human happens to belong to.
The PAT acts as the human who created it, with the same role they have in the org (owner, admin, manager, member, viewer).
Endpoints that operate across organizations — creating new orgs, joining an org via invite code, searching the public org directory — return 403 for PAT callers by design. Use a browser session for those.
The key cannot mint or revoke other API keys (that would let a leaked key rotate itself).

Revoking a key#

Same screen: Organization → Settings → General → Integraciones, click Revoke next to the key. Revocation is instant — the next request returns 401.

OAuth 2.1#

Projekt is a full OAuth 2.1 Authorization Server with Dynamic Client Registration (RFC 7591), PKCE, and RFC 8707 resource binding. This is what claude.ai uses to connect to your Projekt org as an MCP server.

Discovery#

curl https://projekt.3xa.es/.well-known/oauth-authorization-server

That metadata endpoint advertises the authorization_endpoint, token_endpoint, registration_endpoint, and supported scopes_supported, code_challenge_methods_supported, etc.

Register a client#

curl -X POST https://projekt.3xa.es/oauth/register \
  -H "Content-Type: application/json" \
  -d '{
    "client_name":   "My integration",
    "redirect_uris": ["https://example.com/cb"],
    "grant_types":   ["authorization_code", "refresh_token"],
    "token_endpoint_auth_method": "none"
  }'

Authorization code + PKCE#

Standard flow — see the Authorization Server metadata for the exact endpoints. The resource parameter (resource=https://projekt.3xa.es/api) is required and the org is selected on the consent screen, then baked into the token.

Heads-up

OAuth is intended for third-party SaaS integrations where a Projekt user wants to delegate access. If you are writing a script you control, a PAT is much simpler.

Security tips#

Never commit a key. Put it in a secret manager (1Password, doppler, GitHub Actions secrets, AWS SSM, etc.).
One key per integration. Name them after the tool that uses them. Revoking one then does not break the others.
Rotate on incident. If a laptop is lost or a CI log leaks the token, revoke and mint a new one immediately.
Watch for 401. A previously-working request returning 401 means the key was revoked or expired. Stop retrying — re-authenticate.
Use HTTPS. The server forces it (HSTS preloaded). Plain HTTP calls are redirected, but never send a token over a non-TLS channel "just to test."