Authentication
Kasty separates a person acting for an organization from a machine delivering on that organization’s behalf. Use the correct identity for the action being performed.
Human versus machine
Authorized people sign in through Kasty ID to manage their organization, representative details, agreements and credentials. Machine credentials perform scoped delivery operations. They cannot accept Terms, acknowledge a payment regime or change the legal representative.
Bearer credentials
Send the active credential in the standard Authorization: Bearer header. The secret is displayed only when created. Store it in a managed secret store, never in a manifest, URL, repository, analytics event or support screenshot.
Credential provisioning and recovery are covered in Credentials and scopes. The generated API reference defines operation-level responses.
Tenant boundary
The credential determines catalog account, sender and channel. Clients must not put tenant IDs, internal object keys or a channel override into the manifest. Cross-account public IDs are treated as not found so one partner cannot use error detail to enumerate another catalog.
Agreement 428
HTTP 428 with AGREEMENT_ACCEPTANCE_REQUIRED is a human action, not an invalid password. Preserve the draft, open the supplied Agreements handoff for an authorized representative, then validate the unchanged draft again. Do not automate the confirmation with a boolean in an API payload.