Secure your MCPCodex applications with API keys, OAuth 2.0, and JWT tokens. Learn how to authenticate users and manage access permissions.
The fastest way to get started is with an API key. Sign up for a free account and generate your key in the dashboard.
Get API Keyimport { MCPCodex } from '@mcpcodex/sdk';
// Initialize with API key
const mcp = new MCPCodex({
apiKey: process.env.MCP_API_KEY,
environment: 'production' // or 'sandbox'
});
// Authenticate and verify connection
try {
const auth = await mcp.auth.verify();
console.log('Authenticated as:', auth.user.email);
console.log('Organization:', auth.organization.name);
console.log('Plan:', auth.subscription.plan);
} catch (error) {
console.error('Authentication failed:', error.message);
}Simple and secure for server-to-server communication and personal projects.
Industry standard for third-party applications and user delegation.
Stateless tokens with embedded claims, perfect for microservices.
# Get your API key from https://app.mcpcodex.com/settings/api
curl -H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
https://api.mcpcodex.com/v1/user/profile
# Example response
{
"id": "usr_1234567890",
"email": "[email protected]",
"name": "Jane Developer",
"organization": {
"id": "org_0987654321",
"name": "Acme Corp",
"plan": "enterprise"
},
"permissions": ["read:code", "write:code", "deploy:apps"],
"rate_limits": {
"requests_per_hour": 10000,
"tokens_per_minute": 100000
}
}OAuth 2.0 is the recommended approach for applications that need to access MCPCodex on behalf of users. It provides secure, scoped access with user consent.
// OAuth 2.0 Flow
const authUrl = mcp.auth.getAuthorizationUrl({
clientId: 'your-client-id',
redirectUri: 'https://your-app.com/callback',
scopes: ['read:code', 'write:code', 'deploy:apps'],
state: 'secure-random-state'
});
// Redirect user to authUrl
window.location.href = authUrl;
// Handle callback
const handleCallback = async (code, state) => {
const tokens = await mcp.auth.exchangeCode({
code,
clientId: 'your-client-id',
clientSecret: process.env.CLIENT_SECRET,
redirectUri: 'https://your-app.com/callback'
});
// Store tokens securely
localStorage.setItem('mcp_access_token', tokens.access_token);
localStorage.setItem('mcp_refresh_token', tokens.refresh_token);
};MCPCodex uses JSON Web Tokens (JWT) for stateless authentication. Tokens are short-lived and must be refreshed periodically.
// JWT Token Management
const refreshToken = async () => {
try {
const response = await fetch('https://api.mcpcodex.com/auth/refresh', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${localStorage.getItem('mcp_refresh_token')}`
}
});
const tokens = await response.json();
// Update stored tokens
localStorage.setItem('mcp_access_token', tokens.access_token);
localStorage.setItem('mcp_refresh_token', tokens.refresh_token);
return tokens.access_token;
} catch (error) {
// Redirect to login
window.location.href = '/login';
}
};
// Automatic token refresh
const apiCall = async (endpoint, options = {}) => {
let token = localStorage.getItem('mcp_access_token');
const response = await fetch(endpoint, {
...options,
headers: {
...options.headers,
'Authorization': `Bearer ${token}`
}
});
if (response.status === 401) {
// Token expired, refresh and retry
token = await refreshToken();
return fetch(endpoint, {
...options,
headers: {
...options.headers,
'Authorization': `Bearer ${token}`
}
});
}
return response;
};Your API key is invalid, expired, or missing. Check that you're passing the correct key in the Authorization header.
You don't have permission to access this resource. Check your API key permissions or OAuth scopes.
You've exceeded your rate limit. Implement exponential backoff and check your usage in the dashboard.
Our security team can help you implement authentication correctly and securely.