MCP
Authentication
The Chat Thing MCP server accepts two kinds of credential. Both resolve to the same permissions - whichever you use, your agent can only do what your account can do.
- OAuth is the default for interactive clients (Claude Code, Cursor, Windsurf, VS Code). There is no key to copy: your client sends you to a browser consent screen, you approve, and the client is issued a token automatically.
- API keys are the escape hatch for CI, scripts and any client that cannot open a browser. You generate a key once and pass it as a bearer token.
OAuth connect
When an interactive client connects for the first time, it discovers Chat Thing's OAuth configuration from the server, registers itself, and opens a browser window. On that screen you will see:
- The client that is requesting access (for example, Claude Code).
- The team the agent will act on behalf of.
- The read/write scope the agent will get.
Approve the request and the client is connected. Deny it and no token is issued.
What the agent can do
Your token maps to the same team scoping the rest of Chat Thing uses:
- Membership of a team grants read access to that team.
- Being an owner or admin of a team grants write access.
So an agent connected to your account can read from every team you belong to and write to the teams you administer - never more than you can do yourself.
Approve only clients you trust
The consent screen is your control point. Because any client can register itself, only approve a connection you started yourself from a client you recognise. If a consent screen appears that you did not trigger, deny it.
Revoking access
You can revoke a connected agent at any time from the connect flow in the app. Revoking cuts the agent's ability to refresh its access, so it loses access once its current token expires. Revoke a connection whenever you stop using a client or want to cut off access immediately.
API key
Use an API key when a browser consent flow is not possible - CI jobs, scripts, or headless agents.
- Open the connect flow in Chat Thing and choose the API-key path.
- Generate a key and copy it. Treat it like a password - anyone with the key has your access.
- Pass it to your client as a bearer token in the
Authorizationheader:
{
"mcpServers": {
"chatthing": {
"url": "https://app.chatthing.ai/mcp",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}
The key authenticates on every request, so no browser step is needed. Keys resolve to the same team scoping as OAuth.
Keep keys out of source control
Store your key in a secret manager or environment variable, never commit it to a repository, and rotate it if it is ever exposed. You can revoke and regenerate a key from your account at any time.
Which should I use?
| Use case | Recommended |
|---|---|
| Coding agent on your machine (Claude Code, Cursor, Windsurf, VS Code) | OAuth |
| CI pipeline or scheduled job | API key |
| A client that cannot open a browser | API key |
| You want revocation without touching config | OAuth |
Once you are connected, see the tool reference for everything the agent can do, or follow the build-a-bot guide.