Stable Baseline

MCP Integration

Authentication

Two ways to authenticate: API keys for simple setups, or OAuth 2.1 for interactive flows and third-party integrations.

API Keys

API keys are the simplest way to connect. They are ideal for personal MCP clients (Claude Desktop, Cursor, Windsurf) and server-side scripts where you control the environment.

Creating a Key

Go to Settings → MCP Setup → API Keys and click Create Key. Each key requires:

FieldDetails
NameA descriptive label, e.g. "CI/CD Pipeline" or "Claude Desktop – MacBook".
ScopeSelect one or more workspaces. Optionally narrow to specific projects or folders.
PermissionsChoose between simple mode (read, write) or granular per-resource grants (read / write / delete).
ExpirationNever, 7 days, 30 days, 90 days, or 1 year. Expired keys are automatically rejected.

Important: The full API key is shown only once at creation time. Copy it immediately and store it securely. After dismissing the banner, only the key prefix (sta_abc1...) is visible.

Using an API Key

Pass the key as a Bearer token in the Authorization header:

Authorization: Bearer sta_your_api_key_here

Key Lifecycle

  • Last Used — each key tracks when it was last used, visible in the settings dashboard.
  • Revocation — revoke a key at any time from the dashboard. Revoked keys are kept in history (shown as struck-through) but can never be re-enabled.
  • Expiration — expired keys are rejected with a 401 error. Create a new key to replace it.

OAuth 2.1 Clients

For interactive flows, third-party app integrations, or clients that support the MCP Authorization Specification, you can register OAuth 2.1 clients. This enables a full browser-based consent flow where users authorize access without sharing long-lived secrets.

Client Types

Public Client

For desktop apps and SPAs that cannot securely store a secret. Uses PKCE only. Best for Claude Desktop, Cursor, Windsurf, and browser-based tools.

Confidential Client

For server-side apps that can store a client secret. Choose between POST body (recommended) or Basic header auth methods.

Registering a Client

Go to Settings → MCP Setup → OAuth Clients and click Register New OAuth Client. You will need to provide:

  • Client Name — identifies the application in consent screens and dashboards.
  • Client Type — Public (PKCE-only) or Confidential (with a client secret).
  • Redirect URIs — one or more exact-match callback URLs your application uses.
  • Scope & Permissions — same workspace / project / folder scoping as API keys.

Confidential clients: The client secret is shown only once. Copy both the Client ID and Client Secret immediately.

OIDC & OAuth Discovery

The MCP server implements the Protected Resource Metadata spec (RFC 9728), allowing MCP clients to automatically discover the authorization server. Clients that support auto-discovery will work without any manual OAuth configuration.

Discovery Flow

  1. Client sends an unauthenticated request to the MCP endpoint.
  2. Server responds with 401 and a WWW-Authenticate header containing a resource_metadata URL.
  3. Client fetches the Protected Resource Metadata document at that URL.
  4. The metadata document points to the authorization server with standard OAuth/OIDC endpoints.

Well-Known Endpoints

EndpointPurpose
/.well-known/oauth-protected-resourceProtected Resource Metadata (RFC 9728)
/.well-known/oauth-authorization-serverOAuth 2.0 AS Metadata (RFC 8414)
/.well-known/openid-configurationOIDC Discovery. Scopes: openid, email, profile
/.well-known/jwks.jsonJSON Web Key Set for token verification
/oauth/clients/registerDynamic Client Registration (DCR)

Which Should I Use?

ScenarioRecommended
Personal MCP client (Claude, Cursor)API Key — quick, no OAuth flow needed
CI/CD pipelines and scriptsAPI Key — short expiration, tight scoping
Third-party app integrationOAuth 2.1 Public Client — browser consent flow
Server-to-server integrationOAuth 2.1 Confidential Client — with secret
VS Code / auto-discovery clientOAuth 2.1 — handles discovery via RFC 9728

Next Steps

Permissions

Fine-grained access control at every level.

Quick Setup

Client configs for Claude Desktop, Cursor, and more.