Common request headers

All Empowill APIs share three transport-level headers. Header names are case-insensitive and must be sent on every request — there is no cookie or session fallback.

• Company-Id (alias: X-Company-Id) — Default on the company of the authenticated client. Can be overridden by setting this header only if your client has access to multiple companies. Value is the company's human-memorable slug, chosen at creation and immutable afterwards (pattern ^[0-9a-z-_]+$, max 100 chars, e.g. my-company). The backend uses it to resolve permissions and scope queries; with a wrong value, company-scoped endpoints typically respond with permission_denied or not_found. The X-Company-Id alias is kept for legacy clients.
• Accept-Language — Optional. Standard RFC 7231 value (e.g. en, fr-FR). Drives the language of translatable response fields and error messages. Falls back to the server default when missing.
• X-Timezone — Optional. IANA timezone name (e.g. Europe/Paris, UTC). All timestamps are always stored in UTC on the server; this header is only used when the backend needs to render time in the caller's local zone — typically PDF generation, exports, scheduled notifications and any user-facing formatting. Falls back to UTC when missing.