Auth Contract

Auth Types

AuthContext.authType supports:

• api_key
• frontdoor_api_session
• frontdoor_seat_session
• self_signup_session
• legacy

Self-Signup Bearer Format

Self-signup sessions authenticate with:

Authorization: Bearer vcrx_self_<signed_session_token>

Session verification is DB-backed and HMAC-signed.

Self-Signup Metadata

When authType=self_signup_session, auth context also carries:

• registrationType (self_signup or sponsored)
• agentPrincipalId
• sponsorTenantId (when sponsored)

Response Headers

Authenticated self-signup responses include:

• x-vaultcrux-credits-remaining
• x-vaultcrux-rate-limit-daily-remaining
• x-vaultcrux-sponsor-required
• x-vaultcrux-upgrade-url

Sponsor-Required Error

When pre-sponsor credits are exhausted, API returns structured SponsorRequired metadata with upgrade information.