> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wazoo.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Manage API keys and security boundaries

Worlds provides an authentication layer and strict tenant isolation to ensure
your data remains secure.

## Authentication strategies

The platform uses two primary authentication strategies depending on the use
case.

### API keys

AI agents and background services authenticate using scoped API keys. You can
generate and manage these keys via the **Console**.

Include your API key in the `Authorization` header of your requests:

```bash theme={null}
Authorization: Bearer <your-api-key>
```

### Identity service

The Console uses an identity service, such as WorkOS, to manage human users and
organizations. This layer handles MFA, SSO, and team-based access control.

## Tenant isolation

The platform enforces security at the organization level. Provisioning an
organization initializes a dedicated API server instance and a primary metadata
database.

* **Dedicated Worlds**: Each World maintains its own SQLite database for triples
  and embeddings.
* **Resource boundaries**: Agents only access Worlds within their authorized
  organization. Zero cross-contamination occurs between different tenants.

## Unprotected mode

For self-hosters or local development, you can disable authentication by
omitting specific environment variables.

<Warning>
  **Unprotected mode** removes all security boundaries. Never use this mode in a
  production environment or when exposing the API to the public internet. Use it
  only for local-first, offline contexts.
</Warning>

To enable unprotected mode, set the following environment variable to an empty
string:

```bash theme={null}
WORLDS_API_KEY=""
```