Authentication

Exayard accepts three kinds of bearer tokens on every /v1 request:

| Token type | Format | When to use | |---------------|------------------------|----------------------------------------------| | API key | sk_live_... | Server-to-server integrations + CLI | | OAuth token | Clerk-issued | Third-party connected apps + MCP clients | | Session token | Clerk web session | Browser calls from apps/web |

All three go in the Authorization: Bearer … header.

API keys

Create one at /settings/profile/security. Pick only the scopes the integration needs (read:projects, write:estimates, etc.) — see Scopes.

OAuth for agents

For third-party MCP clients, point at the Protected Resource Metadata — it advertises the authorization server and the DCR registration endpoint. See Dynamic Client Registration.

WWW-Authenticate on 401

Every 401 includes a WWW-Authenticate: Bearer realm="Exayard API", resource_metadata="..." header so MCP clients can discover the auth server without hard-coding it.