Authentication Modes
OAuth 2.1 for human users, API keys for headless/CI — when to use each.
OAuth 2.1 (recommended for human users)
When a user connects an MCP client, Autousers launches an OAuth 2.1 PKCE flow. The client receives a short-lived access token (~15 min) that rotates automatically via a refresh token. No static credentials are stored on the client side.
- Best for: interactive sessions in Claude.ai, Cursor, VS Code, ChatGPT
- Token TTL: ~15 minutes (access), refresh tokens rotate on each use
- Revoke: remove the connector from your AI client's settings
API keys (headless / CI / scripts)
API keys are long-lived bearer tokens that do not require a browser. Use them in CI pipelines, server-side scripts, or any environment where OAuth is impractical.
- Best for: Claude Code with --header flag, Codex CLI --bearer-token, automated scripts
- Format: ak_live_<token>
- Manage keys at /settings/api-keys
- Never commit keys to source control — use environment variables or secrets managers
Available OAuth scopes
- templates:read — list and fetch templates
- templates:write — create, update, delete, duplicate templates
- evaluations:read — list, fetch, export, view results
- evaluations:write — create, update, delete, share evaluations
- autousers:read — list and fetch autousers and run details
- autousers:write — create, update, delete, run, calibrate autousers
- ratings:read — list ratings for an evaluation
- ratings:write — (reserved for future use)
API keys currently carry all scopes. Scope-restricted keys are planned — watch the changelog.
Was this article helpful?
