Authentication
Every API and MCP call is authenticated. There are two mechanisms.
API keys (for CLI, IDE and server clients)
Pass your key as a bearer token:
Authorization: Bearer agentdata_sk_ab12cdef…
You can also pass it as a query parameter where headers aren't convenient: ?api_key=agentdata_sk_…
Key facts:
- Format:
agentdata_sk_followed by a hex secret. - Each key is scoped to your tenant and user, and tracks
last_used_at. - Only a SHA-256 hash is stored — the plaintext key is shown once, at creation. Save it then.
Create a key
In the app: Query → Connect → Create key. Or via the API:
curl -X POST https://agentdata.mdm.biskilled.com/api/keys \
-H "Authorization: Bearer <existing_session_or_key>" \
-H "Content-Type: application/json" \
-d '{"name": "claude-desktop"}'
Response returns the plaintext key (once), plus its prefix and name. List keys with GET /api/keys and revoke with DELETE /api/keys/{key_id}.
A key can read everything your tenant's confirmed model exposes. Store it in a secret manager, never commit it, and revoke keys you no longer use.
OAuth 2.1 (for web connectors)
Web connectors such as claude.ai and ChatGPT authenticate over OAuth 2.1 instead of a static key. AgentData advertises its authorization server via .well-known/oauth-protected-resource, so a compliant client discovers and completes the flow automatically. Tokens are per-application and scoped to your tenant.
Enforcement
In production, the API and MCP endpoints fail closed — a request with no valid credential gets 401, and the response carries a WWW-Authenticate header so web connectors can discover the OAuth server. In local development this can be relaxed for convenience.