Authentication
The developer API and the remote MCP endpoint accept two auth methods: an organization API key (Bearer) or OAuth 2.1.
Bearer API key
Create an organization key (amk_…) in Settings → API keys and send it as a Bearer token on every request. Keys are org-scoped — requests act within that organization only.
Authorization header
Authorization: Bearer amk_xxxxxxxxxxxxxxxxxxxxxxxxOAuth 2.1
For user-delegated access, the platform supports OAuth 2.1 with discovery metadata at /.well-known. Use it when you need to act on behalf of a signed-in user rather than with a static org key.
Never embed a real key in client-side code or commit it. Use an environment variable (e.g. AGENT_TASK_API_KEY) and rotate keys from Settings.