Worlds provides an authentication layer and strict tenant isolation to ensure
your data remains secure.
Authentication strategies
The platform uses two primary authentication strategies depending on the use
case.
1. API keys
AI agents and background services authenticate using scoped API keys. You can
generate and manage these keys via the Console.
Include your API key in the Authorization header of your requests:
Authorization: Bearer <your-api-key>
2. Identity service
The Console uses an identity service, such as WorkOS, to manage human users and
organizations. This layer handles MFA, SSO, and team-based access control.
Tenant isolation
Security is enforced at the organization level. Provisioning an organization
initializes a dedicated API server instance and a primary metadata database.
- Dedicated Worlds: Each World maintains its own isolated libSQL database
for triples and embeddings.
- Resource boundaries: Agents only access Worlds within their authorized
organization. Zero cross-contamination occurs between different tenants.
Unprotected mode
For self-hosters or local development, you can disable authentication by
omitting specific environmental variables.
Unprotected mode removes all security boundaries. Never use this mode in a
production environment or when exposing the API to the public internet. Use it
only for local-first, offline contexts.
