Authentication

The Forvibe MCP server accepts two authentication methods. Both are first-class — pick the one that fits your client.

Personal API keys

API keys are static Bearer tokens that grant access to the organization they were minted under. Best for CLI agents (Claude Code, Cursor, Gemini CLI) that prefer config-file auth.

• Created from Settings → API Keys.
• Format: fvk_live_<random-32-byte-base64url>.
• Sent as Authorization: Bearer fvk_live_… header on every request.
• Shown once — store immediately, you can't view the full secret again.
• Revocable any time from the dashboard.
• Rate-limited at 120 requests / 60 seconds per key (sliding window).

OAuth 2.1 + Dynamic Client Registration

For clients that auto-discover MCP authentication (Claude.ai web, Claude Desktop's Connectors UI, ChatGPT), OAuth is the right path. The client opens a Forvibe consent screen, you approve once, and the client manages tokens transparently.

• Standard: OAuth 2.1 with PKCE (S256), per the MCP spec.
• DCR: the client registers itself automatically via /api/oauth/register — no manual app setup.
• Access tokens are short-lived JWTs (1 hour). Refresh tokens last 90 days and rotate on every use.
• Discoverable via https://forvibe.app/.well-known/oauth-authorization-server and /.well-known/oauth-protected-resource.

Scopes

Forvibe defines fine-grained scopes per tool category. New API keys default to wildcard (* — full access); future UI will let you mint scoped keys.

• projects:read, projects:write
• aso:read, aso:write
• screenshots:read, screenshots:write
• store:read, store:write
• review:simulate

Revoking access

Both API keys and OAuth sessions live under Settings → API Keys. Revoking either is instant — within seconds the affected client starts receiving 401s and can re-authenticate or be removed.