GET /v1/me against the gavAI API with a test-mode key and read the response: the user the key belongs to, the token’s scopes, and the workspace it acts on. Five minutes. The point isn’t the endpoint — /v1/me is the cheapest, safest call to confirm authentication works before you ask the API to do anything real.
This is the code entry point. The Builder (console) and the MCP server reach the same workspace and the same isolation guarantees. See Who this is for if you’re deciding which entry point fits.
What you need
How a request gets authenticated
One sentence of mental model before you start, so the response shape isn’t surprising: Every gavAI API request carries one credential in theAuthorization header. The API resolves that credential to three things — the user who owns it, the token itself (with its scopes), and the workspace the call runs against. GET /v1/me is the endpoint that hands those three back to you so you can see what your key resolves to before using it for anything else.
That’s why this is a good first call: it’s read-only, it touches every part of the auth path, and the response is a self-portrait of your access.