> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.ocpplab.com/llms.txt. > For full documentation content, see https://docs.ocpplab.com/llms-full.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.ocpplab.com/_mcp/server. # Authentication Every tenant-aware route takes a single header: ```http Authorization: Bearer ``` `user` tokens are already scoped to a single tenant, so the bearer header is everything a user request needs. The SDKs set it for you when you pass `token` at client construction. ## Send a request ```bash title="Shell" curl "$BASE_URL/locations?page=1&limit=50" \ -H "Authorization: Bearer $ACCESS_TOKEN" ``` ```python title="Python" from ocpplab import OcpplabSDK client = OcpplabSDK(token=ACCESS_TOKEN, base_url=BASE_URL) locations = client.locations.list(page=1, limit=50) ``` ```javascript title="Node.js" import { OcpplabSDK } from "ocpplab"; const client = new OcpplabSDK({ token: ACCESS_TOKEN, baseUrl: BASE_URL }); const locations = await client.locations.list({ page: 1, limit: 50 }); ``` ## What is tenant-scoped Most endpoints that create, list, update, or operate on locations and chargers are tenant-scoped, including: * `/locations` * `/chargers` * `/chargers/{charger_id}/...` * `/locations/{location_id}/chargers/...` Catalog reads are authenticated but are not tied to a specific tenant. ## Failure modes | Status | Meaning | | ------ | ------------------------------------- | | `401` | Missing or invalid bearer token | | `403` | Wrong role or missing tenant scope | | `422` | Request shape fails schema validation | ## Admin tokens (internal only) `admin` tokens act across tenants and must pick one explicitly via `X-Organization-Id`. This only applies to internal OCPPLAB admin integrators — skip this section if you use a `user` token. ```bash curl "$BASE_URL/locations?page=1&limit=50" \ -H "Authorization: Bearer $ADMIN_TOKEN" \ -H "X-Organization-Id: $ORG_ID" ``` Rules: 1. Admin tokens must send `X-Organization-Id` on tenant-scoped routes. 2. User tokens must never send `X-Organization-Id` — the backend rejects it. ## Next step Continue to [Common workflows](/common-workflows) for end-to-end examples.