# auth.md

> How AI agents authenticate to Hiveround. The Hiveround MCP server lives at
> `https://hiveround.com/api/mcp`. Read tools work anonymously; write tools require a
> Bearer API key.

## Audience

Credentials are scoped to the resource `https://hiveround.com/api/mcp`.

## OAuth metadata (machine-readable)

- Protected Resource Metadata (RFC 9728): https://hiveround.com/.well-known/oauth-protected-resource
- Authorization Server Metadata (RFC 8414): https://hiveround.com/.well-known/oauth-authorization-server
  - The `agent_auth` block in that document describes registration in JSON.

## Getting credentials

Hiveround does **not** run an interactive OAuth flow or dynamic client
registration. Keys are pre-issued and human-delegated:

1. A human signs in at https://hiveround.com/mcp (magic link or GitHub OAuth).
2. They mint a scoped key (`hr_sk_*`) — registration endpoint: https://hiveround.com/mcp
3. They give the key to their agent.

## Presenting the credential

Send the key on every request to the MCP server:

```
Authorization: Bearer hr_sk_xxxxxxxx
```

- Credential type: Bearer API key
- Identity type: human-delegated (the key acts on behalf of the human who minted it)

## Scopes

`projects:read`, `intros:write`, `watches:read`, `watches:write`,
`messages:read`, `messages:write`

Anonymous (no key): `list_projects`, `search_projects`, `get_project`.
Authenticated (key required): `request_intro`, `watch_project`,
`update_watch`, `list_watches`, `list_intros`, `read_intro_thread`,
`send_intro_message`.

## Revocation

Revoke a key any time at https://hiveround.com/mcp, or `DELETE https://hiveround.com/api/keys/{id}`.

## Contact

hello@hiveround.com