> ## Documentation Index
> Fetch the complete documentation index at: https://veryfront.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authorization

> Trust boundaries between clients, APIs, agents, and project resources.

Conversation flows cross user, service, and project boundaries.

User-scoped calls use bearer auth. Project-scoped operations also check membership, role, and resource access.

```mermaid theme={null}
flowchart LR
  Client[Client user] -->|Bearer token| API[Veryfront API]
  Client -->|Bearer token| Agent[Hosted agent]
  Agent -->|Bearer token| API
  API -->|project checks| State[Cloud state]
  API -->|project checks| Runtime[Project resources]
```

## Boundaries

| Boundary                    | Check                                                           |
| --------------------------- | --------------------------------------------------------------- |
| Studio to API               | Bearer auth, then conversation or project permissions.          |
| SSE run stream              | Conversation access before replay or follow.                    |
| Project event notifications | Project access before subscription.                             |
| Studio to hosted agent      | Bearer token authentication.                                    |
| Hosted agent to API         | Forwarded bearer token for project and conversation operations. |
| API to project resources    | Project permissions and resource-specific access checks.        |

## Rule

Use bearer auth for user-scoped API and agent calls.

Veryfront applies project permission checks before exposing conversation, run, and event data.
