> ## Documentation Index
> Fetch the complete documentation index at: https://orchestrator-docs.hexoforge.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# IAM API overview

> Authentication, base URLs, and rate limits for the Gate and Public APIs.

The IAM APIs let your application authenticate and manage tenant users. **Gate** endpoints handle registration, login, and password flows at the edge. **Public** endpoints handle tokens, profile, TOTP, and JWKS without Cloudflare Worker invocation.

## Authentication

All Gate and Public endpoints require an **API key** with `auth` permission. Send it in the `X-API-Key` header:

```http theme={null}
X-API-Key: your_project_api_key_here
```

Public endpoints that act on a specific user also need a **Bearer** JWT access token:

```http theme={null}
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...
```

## Base URLs

Replace `{project_id}` with your project's UUID.

| Surface    | Base URL                                                                      | Protection                                                |
| ---------- | ----------------------------------------------------------------------------- | --------------------------------------------------------- |
| Gate API   | `https://org-api.hexoforge.dev/api/v1/gate/{project_id}/auth`                 | Cloudflare Worker (DDoS, firewall, IP rules, rate limits) |
| Public API | `https://org-api.hexoforge.dev/api/v1/pub/{project_id}/auth`                  | Backend-only (IP rules, firewall, rate limits)            |
| JWKS       | `https://org-api.hexoforge.dev/api/v1/pub/{project_id}/.well-known/jwks.json` | No API key or Bearer                                      |

## Rate limiting

Every endpoint is rate-limited. Default limits are configurable per project:

| Category         | Default limit                 | Applied to                            |
| ---------------- | ----------------------------- | ------------------------------------- |
| `login`          | 10 requests per minute per IP | `/login`, `/login/totp`               |
| `register`       | 5 requests per minute per IP  | `/register`                           |
| `password_reset` | 5 requests per minute per IP  | `/forgot-password`, `/reset-password` |
| `general`        | 30 requests per second per IP | All other endpoints                   |

When rate-limited, you receive `429 Too Many Requests` with IETF-compliant headers:

```http theme={null}
HTTP/1.1 429 Too Many Requests
RateLimit-Policy: 10;w=60
RateLimit: limit=10, remaining=0, reset=45
```

Gate endpoints also have a hard cap of **60 requests per minute per IP** at the Cloudflare edge (not configurable).
