Every business request is scoped to an organization context. Role checks are enforced server-side for owner, admin, operator, accountant, and viewer access. Use X-Organization-Id when you need to override the active organization context.