> ## Documentation Index
> Fetch the complete documentation index at: https://developers.initdesk.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication and limits

## Authentication

Use an **organization-scoped integration token** created in initdesk. Send the raw token on every request using custom header:

* `X-Initdesk-Token: <token>`

**Scope:** An org-scoped token may only access resources for the organization it was issued for. Requests to another organization's URLs return `403 Forbidden`.

**Invalid or inactive tokens:** If you send a token header and authentication fails, the API responds with `401` / `403` as appropriate.

### Issuing a new token

Access **Settings** > **API access** to generate a new token. Only users with **Account Owner** or **Admin** roles can issue tokens.

Tokens are stored server-side as salted hashes; the raw value is shown only once at creation. Revoke compromised tokens immediately.

## Rate limits and errors

The gateway applies **per-token rate limiting** (keyed on `X-Initdesk-Token`).

The limit is defined as **60 requests/minute** for most endpoints. Ticket **creation** is also throttled per organization on the backend (hourly cap).

Expect `429 Too Many Requests` when limits are exceeded; back off and retry with exponential delay.