Lamba

Base URLs

id.* serves customer auth, OIDC discovery, token exchange, and session operations.
api.* serves customer self and admin runtime APIs.
The Lamba console configures applications, domains, roles, webhooks, add-ons, and environment settings. Your product runtime should call only id.* and api.*.

Authorization: Bearer <customer-session-token-or-management-token>
X-Correlation-Id: <guid-or-string>

Do not send console-only workspace or project headers to the customer surface.

The bearer token comes from the customer auth host:

a customer session returned by password, register, magic-link, phone, refresh, or switch-context
a scoped customer session after OIDC by calling POST /v1/sessions/switch-context
a confidential management token from POST /connect/token with grant_type=client_credentials, workspaceId, projectId, and environment

Use management tokens only for /v1/admin/*. User self-service routes under /v1/me/* require a customer session.

Surface	Examples	Host
Auth	register, password login, magic-link, phone OTP, social callback, MFA, refresh, logout, switch-context	`id.*`
OIDC	discovery, authorize, token, JWKS, user info	`id.*`
Self	`me/context`, `me/memberships`, `me/authorization`, `me/security`, `me/linked-identities`, `me/profile`	`api.*`
Admin members	members, invitations, sessions, roles, permissions	`api.*`
Admin applications/domains	OAuth/OIDC clients, custom domains, domain bindings	`api.*`
Admin webhooks/events	endpoint CRUD, secret rotation, delivery logs, event catalog	`api.*`
Billing add-ons	SMS add-on status, tiers, subscribe, cancel	`api.*`

Keep customer auth and customer API clients separate.
Always pass correlation IDs for distributed tracing.
Build typed adapters around the public contract instead of scattering raw fetch calls.
Keep browser tokens in HttpOnly cookies or platform-secure credential storage.
Keep management client secrets server-side.