Authentication
How to authenticate with Agent Platform and secure your MCP server.
Webhook Source Tokens
Each webhook source has a unique token used to authenticate incoming events. Include it in the X-Webhook-Token header.
bash
curl -X POST https://agent-platform.example.com/webhooks/events \
-H "Content-Type: application/json" \
-H "X-Webhook-Token: whk_abc123def456" \
-d '{"event_type": "invoice.uploaded", "payload": {...}}'| Field | Type | Description |
|---|---|---|
| X-Webhook-Token* | string | The webhook source token. Starts with whk_ prefix. |
Webhook tokens are sensitive credentials. Store them in your secrets manager and never commit them to source control. Rotate tokens immediately if compromised.
MCP Server Authentication
When Agent Platform calls your MCP server, it includes an authorization token so you can verify the request is legitimate.
Outbound request from Agent Platform
POST /mcp HTTP/1.1
Host: your-app.example.com
Content-Type: application/json
Authorization: Bearer sk-your-configured-token
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/list"
}The token is configured when you register your skill. Your MCP server should validate this token on every request:
Validate token
app.use("/mcp", (req, res, next) => {
const token = req.headers.authorization?.replace("Bearer ", "");
if (token !== process.env.MCP_AUTH_TOKEN) {
return res.status(401).json({
jsonrpc: "2.0",
error: { code: -32000, message: "Unauthorized" },
});
}
next();
});API Authentication
The ConnectRPC management API uses Auth0 JWT tokens for authentication.
bash
# Obtain a token from Auth0
TOKEN=$(curl -s -X POST https://your-auth0-domain/oauth/token \
-H "Content-Type: application/json" \
-d '{
"client_id": "your-client-id",
"client_secret": "your-client-secret",
"audience": "https://agent-platform.example.com",
"grant_type": "client_credentials"
}' | jq -r '.access_token')
# Use the token with the API
curl https://agent-platform.example.com/api/v1/agents \
-H "Authorization: Bearer $TOKEN"API authentication is only required for the management API (creating agents, skills, triggers). Webhook events use source tokens instead.