Authentication & API Keys
Multiplist supports two authentication methods. Remote clients (Claude Desktop, ChatGPT) authenticate via OAuth 2.1 with PKCE — no keys to manage. Local and scripted use cases use MCP tokens.
# OAuth 2.1 with PKCE
The easiest option for Claude Desktop, ChatGPT, and any MCP client that speaks StreamableHTTP.
- Configure the client with
https://multiplist.ai/mcp. - On first use, the client opens the Multiplist login page in your browser.
- Approve the connection — the token is stored in the client, refreshed automatically.
- No API keys to copy or rotate.
# MCP tokens
For headless use — scripts, CI/CD, local stdio bridges. Generate in Settings → MCP Tokens inside the Multiplist app.
- Prefix:
mp_live_ - Storage: SHA-256 hashed at rest. The raw token is shown once at creation — store it in a secrets manager.
- Revocation: tokens can be revoked individually in the settings UI.
# Scopes
Tokens and OAuth sessions are scoped. Grant the minimum scope needed.
| Scope | What it grants |
|---|---|
seeds:read | Read seeds across the vault |
seeds:write | Create, update, delete seeds |
sources:read | Read sources and their content |
sources:write | Create, update, delete sources |
skills:read | Read extraction skills |
skills:write | Create, update, delete skills |
recall:search | Run vault searches and request research briefs |
extract:run | Trigger extraction jobs |
A read-only monitoring script typically needs seeds:read, sources:read, skills:read. A full-write automation pipeline uses the write variants too.
# Header format
Whether you're calling the REST API or the MCP endpoint with a static token, the format is the same:
Authorization: Bearer mp_live_...The @multiplist/mcp-server npm bridge reads the token from MULTIPLIST_API_KEY (or the legacy MCP_KEY) env var and forwards it as the x-mcp-key header on every request.