> ## Documentation Index > Fetch the complete documentation index at: https://docs.craftkit.dev/llms.txt > Use this file to discover all available pages before exploring further. # Provision an org > Idempotently provision a Craftkit project + API key + embed partner for an external org id. The first call returns the plaintext API key (store it — it cannot be recovered later); subsequent calls decrypt and return the same key. Authenticated by the deployment admin key. ## OpenAPI ````yaml /openapi.yaml post /v1/admin/provision openapi: 3.1.0 info: title: Craftkit API version: 1.0.0 description: > The Craftkit public REST API. Design templates with typed variables, render PDFs asynchronously, share and track them, and send them out for digital signature. ## Authentication Most endpoints authenticate with a **project API key** as a bearer token: ``` Authorization: Bearer ck_live_xxxxxxxxxxxxxxxx ``` Keys come in `ck_live_` (production) and `ck_test_` (test) flavours. Embed iframe surfaces use a short-lived **embed session JWT** instead, and the admin provisioning endpoint uses the deployment-wide `CRAFTKIT_ADMIN_KEY`. Inbound webhooks (`/v1/hooks/*`) are not bearer-authed — they are verified by an HMAC signature header. ## Idempotency `POST /v1/templates/{slug}/render` and `POST /v1/signatures` accept an `Idempotency-Key` request header. Retrying with the same key returns the original resource instead of creating (and, for signatures, billing) a duplicate. ## Errors Application errors use a shared envelope: ```json { "error": { "code": "invalid_request", "message": "...", "issues": { } } } ``` A small number of admin/embed endpoints return a flatter shape (`{ "error": "invalid_credentials" }`); those are documented inline. servers: - url: https://api.craftkit.dev description: Production security: - bearerApiKey: [] tags: - name: Templates description: Create, list, fetch, republish, delete templates and enqueue renders. - name: Renders description: Poll render status, download PDFs, manage shares, email, and engagement. - name: Signatures description: >- Send rendered PDFs out for digital signatures via the signature service and track status. - name: Webhooks description: Inbound webhook receivers (HMAC-authenticated, not bearer-authed). - name: Embed description: Embed session minting, catalogs, builder templates, form submission. - name: Admin description: Org provisioning (deployment admin key only). - name: System description: Health and status. paths: /v1/admin/provision: post: tags: - Admin summary: Provision an org description: | Idempotently provision a Craftkit project + API key + embed partner for an external org id. The first call returns the plaintext API key (store it — it cannot be recovered later); subsequent calls decrypt and return the same key. Authenticated by the deployment admin key. operationId: provisionOrg requestBody: required: true content: application/json: schema: type: object required: - externalOrgId properties: externalOrgId: type: string orgName: type: string example: externalOrgId: org_123 orgName: Acme Corp responses: '200': description: Org provisioned (returns whether it already existed). content: application/json: schema: $ref: '#/components/schemas/ProvisionResult' example: projectId: 7c9f0b2e-2b1a-4f3d-9c8e-1a2b3c4d5e6f partnerId: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d apiKey: ck_live_xxxxxxxxxxxx alreadyExisted: false '400': description: Body was not valid JSON. content: application/json: schema: $ref: '#/components/schemas/SimpleError' '401': $ref: '#/components/responses/SimpleUnauthorized' '422': description: externalOrgId is required. content: application/json: schema: $ref: '#/components/schemas/SimpleError' example: error: externalOrgId is required '500': description: Provisioning failed or admin key not configured. content: application/json: schema: $ref: '#/components/schemas/SimpleError' security: - adminKey: [] components: schemas: ProvisionResult: type: object required: - projectId - partnerId - apiKey - alreadyExisted properties: projectId: type: string format: uuid partnerId: type: string format: uuid apiKey: type: string description: Plaintext project API key (only retrievable via this endpoint). alreadyExisted: type: boolean SimpleError: type: object description: | Flat error shape used by some admin/embed endpoints (the value is a machine-readable code string rather than the structured envelope). required: - error properties: error: oneOf: - type: string - type: object properties: code: type: string message: type: string message: type: string issues: {} detail: type: string responses: SimpleUnauthorized: description: Missing or invalid credentials (flat error shape). content: application/json: schema: $ref: '#/components/schemas/SimpleError' example: error: invalid_credentials securitySchemes: bearerApiKey: type: http scheme: bearer description: > Project API key (`ck_live_…` or `ck_test_…`) presented as a bearer token. For embed partner endpoints this is the partner secret key, which is the same credential type. adminKey: type: http scheme: bearer description: >- Deployment-wide admin secret (`CRAFTKIT_ADMIN_KEY`). Admin provisioning only. ````