Skip to content

Authentication

Every request to the Estaite MCP server must carry a valid API key. The server accepts three transport options, in order of preference.

Get an API key

API keys are issued from the estaite.com/developers dashboard. Each key is tied to a workspace and a billing tier. See Rate limits for the per-tier per-second limits and Pricing for monthly quotas.

Option 1 — x-api-key header (preferred)

Recommended for any code-driven client (mcp-remote, custom agents, curl, HTTP libraries).

POST / HTTP/1.1
Host: mcp.estaite.com
Content-Type: application/json
x-api-key: mk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Option 2 — Authorization: Bearer

For clients that complete the OAuth 2.1 authorization-code flow (e.g. Claude.ai web’s custom-connector flow), the resulting access token is your API key, and it’s sent as a Bearer token.

POST / HTTP/1.1
Host: mcp.estaite.com
Content-Type: application/json
Authorization: Bearer mk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You normally never set this header by hand — the OAuth client handles it. Use Option 1 for everything you write yourself.

Option 3 — ?key= query string

The standard auth method for clients that only accept a URL and don’t expose request headers — Claude Desktop Connectors, ChatGPT custom GPTs, embedded integrations, and anywhere you need a single shareable URL configuration.

https://mcp.estaite.com?key=mk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The server scrubs ?key= values from durable request logs, so the key isn’t retained server-side. Use the header form anywhere your client supports custom headers (typically code-driven integrations).

Order of resolution

If a request carries more than one of these, the server uses the first one it finds in this order:

  1. x-api-key header
  2. Authorization: Bearer header
  3. ?key= query string

Rotating keys

You can issue, label, and revoke keys at any time from estaite.com/developers. Revocation is immediate — the revoked key returns a 401 on the next request.

Errors

StatusMeaning
401 UnauthorizedMissing key, malformed key, or revoked key.
403 ForbiddenKey valid but the workspace is suspended.
429 Too Many RequestsPer-second rate limit or monthly quota exceeded. See Rate limits.