Skip to content
Back

MCP Authentication

How authentication works — API keys, auth.md agent registration, and connecting agents to LiveFolio.

Getting an API Key

  1. Go to Settings → API Keys in the dashboard
  2. Click Generate Agent Key
  3. Give it a name (e.g., "Claude Code", "Cursor")
  4. Copy the key — it's shown only once

The key format: lf_agent_xxxxxxxxxxxx

Using Your Key

Include the key as a Bearer token in the Authorization header:

{
  "mcpServers": {
    "livefolio": {
      "url": "https://livefolio.cloud/api/mcp",
      "transport": "sse",
      "headers": {
        "Authorization": "Bearer lf_agent_xxxxxxxxxxxx"
      }
    }
  }
}

If your MCP client doesn't support custom headers, pass the key as a query parameter:

https://livefolio.cloud/api/mcp?key=lf_agent_xxxxxxxxxxxx

How Auth Works

Agent connects to /api/mcp
    │
    ▼
Authorization header or ?key= parameter extracted
    │
    ▼
API key validated against your organization
    │
    ▼
On success: organization context injected
    │
    ▼
Request proceeds — agent can call tools

Agent-Native Registration (auth.md)

LiveFolio implements the open auth.md protocol. Agents can autonomously register and acquire API keys — no human dashboard interaction needed.

Discovery

Agents discover auth endpoints from the protected resource metadata:

GET https://livefolio.cloud/.well-known/oauth-protected-resource

User Claimed Flow (OTP)

  1. Register — initialize an anonymous session:

    POST /api/agent/auth
    
  2. Claim — send the user's email to trigger a 6-digit code:

    POST /api/agent/auth/claim
    { "email": "user@example.com" }
    
  3. Complete — user provides the code, session upgrades to persistent API key:

    POST /api/agent/auth/claim/complete
    { "code": "123456" }
    

The full protocol guide is served at /auth.md:

curl https://livefolio.cloud/auth.md

Key Management

  • Name keys descriptively — "Claude Code (MacBook)" not "key1"
  • One key per agent — don't share keys between tools
  • Rotate regularly — generate new keys and revoke old ones
  • Revoke instantly — delete a key from Settings to invalidate all connections using it

Troubleshooting

"Unauthorized" error

  1. Verify the key hasn't been revoked (check Settings → API Keys)
  2. Check the header format: Authorization: Bearer lf_agent_...
  3. Ensure the key belongs to the correct workspace

Agent can't discover auth endpoints

The /.well-known/oauth-protected-resource and /auth.md endpoints are public. If they're not reachable, check your instance URL.

Self-Hosted Auth

Self-hosted instances have different authentication behavior. See Self-Hosting: Configuration for details.