Authentication

All API requests require a Bearer token in the Authorization header.

API keys

API keys follow the format sk_live_* and are generated through the web app’s workspace settings. Each key is associated with a workspace and its connected channels.

Authorization: Bearer sk_live_your_api_key

How it works

Your request includes the API key in the Authorization: Bearer header
The server SHA256-hashes the key and looks it up in Redis (mcp:apikey:* prefix)
The stored context includes the workspace ID and credentials for each connected channel (Meta, LinkedIn, Google)
Per-request credentials are injected via AsyncLocalStorage — each tool call uses the correct channel credentials automatically

Channel connections

A single API key can have multiple channels connected. The key’s stored context looks like:

{
  "keyId": "key_abc123",
  "workspaceId": "ws_xyz789",
  "channels": {
    "meta": {
      "accessToken": "EAAB...",
      "accountId": "123456789"
    },
    "linkedin": {
      "accessToken": "Bearer ...",
      "accountId": "987654321"
    },
    "google-ads": {
      "accessToken": "ya29...",
      "refreshToken": "1/..."
    }
  }
}

If you call a source that isn’t connected in your API key, you’ll get a 403 FORBIDDEN error with ChannelNotConnectedError.

Error responses

Status	Code	Meaning
401	`UNAUTHORIZED`	Missing or invalid API key
403	`FORBIDDEN`	Channel not connected for this key

Getting Started

Concepts

Sources

Authentication

Authentication

API keys

How it works

Channel connections

Error responses

Getting Started

Concepts

Sources

​Authentication

​API keys

​How it works

​Channel connections

​Error responses

Authentication

API keys

How it works

Channel connections

Error responses