Skip to main content

Session or bearer auth

Most APIs require a bearer token or an active session. SDK and MCP routes use auth:api middleware and expect a valid bearer token.

API clients

Use API clients to generate a client ID and secret. Exchange them at /api/auth/token with grant_type=client_credentials to get a bearer token.

OAuth token endpoint

/api/oauth/token provides an OAuth-compliant token endpoint for client_credentials grant flows.

Security notes

Do not store client secrets in the browser. Use server-side exchanges when possible.