Skip to main content

Authentication

Broker Auth Model

The aggregator uses bearer auth on the broker endpoint.

Header: Authorization
Value format: Bearer mad_live_***

Request Example

curl -X POST 'https://madpanda3d.com/lab/mad-mcps/portal/api/mcp' \
  -H 'Authorization: Bearer mad_live_***' \
  -H 'Content-Type: application/json' \
  -d '{
    "jsonrpc": "2.0",
    "id": "tools",
    "method": "tools/list",
    "params": {}
  }'

OAuth Discovery Routes

OAuth-aware clients can use the exposed discovery aliases:

/.well-known/oauth-authorization-server
/.well-known/openid-configuration
/.well-known/oauth-protected-resource
/authorize
/token

Security Guidance

Never embed live tokens in client-side public code.
Use least-privilege credentials at each upstream MCP.
Rotate tokens immediately if exposure is suspected.

Broker Auth Model
Request Example
OAuth Discovery Routes
Security Guidance