Web vs API Chain
This is the first concept to understand in SlaunchX.
The Split
| Chain | Prefix | Primary auth | Primary caller |
|---|---|---|---|
WEB | /web/v1/** | JWT, X-Client-Hash, optional Secure Channel | browser and portal clients |
API | /api/v1/** | API key + HMAC | backend systems |
Why This Matters
The same business domain can contain both WEB and API behavior, but the security model is not interchangeable.
If you call a WEB endpoint like an API endpoint, or vice versa, the request can fail before business logic runs.
Practical Rule
Use WEB when:
- a human user is logged in through a portal
- the request depends on portal context
- the request depends on session fingerprinting
- the request can require Secure Channel
Use API when:
- a backend service owns the integration
- the request is signed with API credentials
- the endpoint is explicitly exposed for API-key access
403 Implications
WEB chain
403 often means one of these:
- missing or invalid portal context
- portal mismatch between entrypoint and token
- session fingerprint mismatch
- missing permission inside the active session
API chain
403 often means one of these:
- the endpoint is not API-exposed
- the API key lacks the required scope
- access is denied by scope policy