> ## Documentation Index
> Fetch the complete documentation index at: https://docs.runalloy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

## API Management Endpoints

All server management API requests require authentication:

```bash theme={null}
Authorization: Bearer YOUR_API_KEY  # Required
x-alloy-userid: YOUR_USER_ID        # Optional when using API key
```

Alternative with JWT:

```bash theme={null}
x-alloy-user-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
```

## MCP Protocol Endpoints

Two authentication methods available:

<Steps>
  <Step title="Token URL">
    No additional headers needed:

    ```
    https://mcp.runalloy.com/mcp/{serverId}/{accessToken}
    ```
  </Step>

  <Step title="API Key">
    Requires authentication headers:

    ```bash theme={null}
    https://mcp.runalloy.com/mcp/{serverId}
    Authorization: Bearer YOUR_API_KEY
    x-alloy-userid: YOUR_USER_ID
    ```
  </Step>
</Steps>

## JWT User Isolation

Servers support automatic userId extraction from JWT tokens:

* When using `x-alloy-user-token` header with a JWT
* The server extracts the userId from the JWT payload
* Each JWT user gets isolated data based on their JWT userId

Example:

```bash theme={null}
curl -X POST https://mcp.runalloy.com/mcp/{serverId}/{token} \
  -H "x-alloy-user-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc": "2.0", "method": "tools/call", "params": {...}, "id": 1}'
```

## Security Best Practices

1. **Never share your API key or token URL** - Treat them like passwords
2. **Rotate keys regularly** - Generate new keys periodically
3. **Use restrictions** - Limit what each server can access
4. **Monitor usage** - Check logs for unexpected activity
5. **Store credentials securely** - Use environment variables or secret managers