---
title: "Authentication - Chat Thing Documentation"
canonical_url: "https://chatthing.ai/docs/mcp-authentication"
last_updated: "2026-07-13T16:51:23.415Z"
meta:
  description: "How Chat Thing's MCP server authenticates your agent - browser OAuth for interactive clients, and API keys for CI and headless use."
  "og:description": "How Chat Thing's MCP server authenticates your agent - browser OAuth for interactive clients, and API keys for CI and headless use."
  "og:title": Authentication
  "twitter:description": "How Chat Thing's MCP server authenticates your agent - browser OAuth for interactive clients, and API keys for CI and headless use."
  "twitter:title": Authentication
---

**MCP**

# Authentication

The Chat Thing MCP server accepts two kinds of credential. Both resolve to the same permissions - whichever you use, your agent can only do what your account can do.

- **OAuth** is the default for interactive clients (Claude Code, Cursor, Windsurf, VS Code). There is no key to copy: your client sends you to a browser consent screen, you approve, and the client is issued a token automatically.
- **API keys** are the escape hatch for CI, scripts and any client that cannot open a browser. You generate a key once and pass it as a bearer token.

## OAuth connect

When an interactive client connects for the first time, it discovers Chat Thing's OAuth configuration from the server, registers itself, and opens a browser window. On that screen you will see:

- The **client** that is requesting access (for example, Claude Code).
- The **team** the agent will act on behalf of.
- The **read/write scope** the agent will get.

Approve the request and the client is connected. Deny it and no token is issued.

### What the agent can do

Your token maps to the same team scoping the rest of Chat Thing uses:

- Membership of a team grants **read** access to that team.
- Being an **owner or admin** of a team grants **write** access.

So an agent connected to your account can read from every team you belong to and write to the teams you administer - never more than you can do yourself.

🚨

Approve only clients you trust

The consent screen is your control point. Because any client can register itself, only approve a connection you started yourself from a client you recognise. If a consent screen appears that you did not trigger, deny it.

### Revoking access

You can revoke a connected agent at any time from the connect flow in the app. Revoking cuts the agent's ability to refresh its access, so it loses access once its current token expires. Revoke a connection whenever you stop using a client or want to cut off access immediately.

## API key

Use an API key when a browser consent flow is not possible - CI jobs, scripts, or headless agents.

1. Open the connect flow in Chat Thing and choose the API-key path.
2. Generate a key and copy it. Treat it like a password - anyone with the key has your access.
3. Pass it to your client as a bearer token in the `Authorization` header:

```
{
  "mcpServers": {
    "chatthing": {
      "url": "https://app.chatthing.ai/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}
```

The key authenticates on every request, so no browser step is needed. Keys resolve to the same team scoping as OAuth.

🚨

Keep keys out of source control

Store your key in a secret manager or environment variable, never commit it to a repository, and rotate it if it is ever exposed. You can revoke and regenerate a key from your account at any time.

## Which should I use?

| Use case | Recommended |
| --- | --- |
| Coding agent on your machine (Claude Code, Cursor, Windsurf, VS Code) | OAuth |
| CI pipeline or scheduled job | API key |
| A client that cannot open a browser | API key |
| You want revocation without touching config | OAuth |

Once you are connected, see the [tool reference](https://chatthing.ai/docs/mcp-tools) for everything the agent can do, or follow the [build-a-bot guide](https://chatthing.ai/docs/mcp-build-a-bot).