Skip to content
Estaite MCP

Authentication

Every request to the Estaite MCP server must carry a valid API key. The server accepts three transport options, in order of preference.

Get an API key

API keys are issued from the estaite.com/developers dashboard. Each key is tied to a workspace and a billing tier. See Rate limits for the per-tier per-second limits and Pricing for monthly quotas.

Option 1 — x-api-key header (preferred)

Recommended for any code-driven client (mcp-remote, custom agents, curl, HTTP libraries).

POST / HTTP/1.1
Host: mcp.estaite.com
Content-Type: application/json
x-api-key: est_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Option 2 — Authorization: Bearer

For clients that complete the OAuth 2.1 authorization-code flow (e.g. Claude.ai web’s custom-connector flow), the resulting access token is your API key, and it’s sent as a Bearer token.

POST / HTTP/1.1
Host: mcp.estaite.com
Content-Type: application/json
Authorization: Bearer est_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You normally never set this header by hand — the OAuth client handles it. Use Option 1 for everything you write yourself.

Option 3 — ?key= query string

Required by clients that only accept a URL and don’t expose request headers (Claude Desktop Connectors, ChatGPT custom GPTs).

https://mcp.estaite.com?key=est_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Query-string keys are scrubbed from durable server logs (the request URL is rewritten to remove key=), but they’re still present in browser history, proxy logs, and shared screenshots. Prefer the header anywhere a header is available.

Order of resolution

If a request carries more than one of these, the server uses the first one it finds in this order:

  1. x-api-key header
  2. Authorization: Bearer header
  3. ?key= query string

Rotating keys

You can issue, label, and revoke keys at any time from estaite.com/developers. Revocation is immediate — the revoked key returns a 401 on the next request.

Errors

StatusMeaning
401 UnauthorizedMissing key, malformed key, or revoked key.
403 ForbiddenKey valid but the workspace is suspended.
429 Too Many RequestsPer-second rate limit or monthly quota exceeded. See Rate limits.