MCP

Authentication

An MCP client inherits exactly the identity it authenticates as — and can only do what that identity can. There are two flows, by client type.

Connector (OAuth)

Claude.ai, Claude Desktop, and ChatGPT authorize over OAuth — add the server URL and approve the connection in your browser. There's no key to manage. The connection inherits the role and company of whoever authorized it.

API key

Claude Code, Cursor, VS Code, Codex, and any headless or CI client send a scoped key as a bearer token: Authorization: Bearer <api-key>. Create one in Settings → API Keys; the key carries its own scopes. stdio-only clients bridge through mcp-remote.

Permissions

Either way, the assistant can only do what that identity can — a connector inherits your role and company, a key carries the scopes you granted it. Use a separate key per client, so revoking one doesn't break the rest.

Errors

Status

When it happens

401

Connector: re-authorize from your client. Key: it's missing, malformed, expired, or deleted — recreate it and update the Authorization header.

403

The identity lacks the required module permission (or the company is on the Starter plan).