Kaiten
Getting Started

Connect Your Application

Create a service account, generate an API token, and make your first authenticated API call.

Connect Your Application

To interact with Kaiten programmatically (from your backend, CI/CD, or scripts), you need a Service Account and an API Token (ksh_*).

Create a Service Account

Navigate to Integrations → Service Accounts in the dashboard, then click New Service Account.

Give it a descriptive name (e.g. my-app-backend).

A Service Account is a machine user — it has no email and belongs to your organization. It can hold multiple API tokens with different scopes.

Generate an API Token

  1. Click on your service account
  2. Click Generate Token
  3. Give it a name (e.g. production)
  4. Select Scopes:
    • read:customers — list and view customers
    • read:instances — list and view instances
    • read:feature_flags — evaluate feature flags
    • write:customers — create/update customers
    • Or use read:* / write:* for full access
  5. Click Create

Copy the token immediately — it is shown only once. It looks like: ksh_abcdef123456...

Make Your First API Call

curl http://localhost:6000/api/customers \
  -H "Authorization: Bearer ksh_your_token_here"

Response:

{
  "items": [
    {
      "id": "uuid-...",
      "name": "Sakura Tokyo",
      "slug": "sakura-tokyo"
    }
  ],
  "total": 3
}

How Authentication Works

When you send a request with a ksh_* token, here's what happens:

Your App                    Traefik Gateway              Go API
  |                              |                         |
  |-- Bearer ksh_xxx ---------->|                         |
  |                              |-- ForwardAuth -------->|
  |                              |   /api/tokens/validate |
  |                              |<-- unsigned JWT -------|
  |                              |                         |
  |                              |-- JWT + request ------>|
  |                              |                         |-- extract Principal
  |                              |                         |   (UserID, OrgID, Scopes)
  |<-- API response ------------|<-- response ------------|
  1. Traefik detects the ksh_* pattern in the Authorization header
  2. It forwards the request to /api/tokens/validate via ForwardAuth
  3. The API validates the token hash, checks expiry, and generates an unsigned JWT with the same claims
  4. The JWT is forwarded to the API handler, which extracts the Principal (user ID, org ID, scopes)
  5. All database queries are automatically scoped to the organization

Scopes Reference

Scopes follow the pattern <action>:<module>:

ScopeAccess
read:customersList/view customers
write:customersCreate/update/delete customers
read:instancesList/view instances
read:feature_flagsEvaluate feature flags
read:*Read access to all modules
write:*Full access (implies read)

See the complete scopes reference for all 11 modules.

Next Step

Receive Events via Webhooks

Feature Flags

Create a feature flag with targeting rules and evaluate it via the OFREP API.

Receive Events

Set up a webhook endpoint and receive real-time events from Kaiten.

On this page

Connect Your ApplicationCreate a Service AccountGenerate an API TokenMake Your First API CallHow Authentication WorksScopes ReferenceNext Step