Skip to main content
ClickFlow uses different authentication for MCP and the REST API:
  • MCP — OAuth via Clerk. No API key needed — your MCP client handles login automatically.
  • REST API — API keys. Required for all REST requests.

OAuth (MCP)

MCP authentication works via OAuth — the same login you use at app.clickflow.com. When you connect an MCP client like Claude, Cursor, or Windsurf, it will open a browser login on first use. You sign in with your regular ClickFlow account. No API key or manual setup required. Flow:
  1. MCP client discovers auth requirements via /.well-known/oauth-protected-resource
  2. Client redirects to Clerk for login
  3. User authenticates and grants access
  4. MCP client receives a token
  5. All subsequent tool calls use this token automatically
OAuth users have full access to all tools — no scope restrictions.

OAuth metadata endpoint

GET https://api.clickflow.com/v1/.well-known/oauth-protected-resource

{
  "resource": "https://api.clickflow.com/v1/mcp",
  "authorization_servers": ["https://your-app.clerk.accounts.dev"]
}

API Keys (REST API)

API keys are required for the REST API. They can also be used with MCP as an alternative to OAuth (e.g., for non-interactive/automated setups). Format: Keys start with cf_ak_ followed by a random string. Create a key: Dashboard > Settings > API Keys > Create API Key.

Headers

Every request requires an Authorization header: 
Authorization: Bearer cf_ak_your_key_here
Optionally, override the default organization: 
X-Organization-Id: org_abc123

Access

API keys have full access to all tools — no scope restrictions.

Key properties

PropertyDescription
statusactive, revoked, or expired
expiresAtOptional expiration timestamp
lastUsedAtUpdated on each use
organizationIdDefault org for this key

Error responses

401 Unauthorized

Returned when the token is missing, invalid, or expired. 
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer resource_metadata="https://api.clickflow.com/v1/.well-known/oauth-protected-resource"

{"error": "unauthorized"}

403 Forbidden

Returned when access is denied (e.g., wrong organization). 
HTTP/1.1 403 Forbidden

{"detail": "Access denied"}