Skip to main content
MCP servers often require authentication to access their tools. Craft Agents supports several authentication methods to securely connect to protected servers.

Authentication Types

The authType field in your MCP source configuration determines how authentication is handled:

OAuth Authentication

For servers that support OAuth, set authType to "oauth":
When you first use this source:
  1. Craft Agents detects OAuth authentication is required
  2. A browser window opens for you to authorize access
  3. After approval, you’re redirected back to the application
  4. The OAuth token is stored securely for future use

Token Refresh

OAuth tokens are automatically refreshed when they expire. If a refresh fails, you’ll be prompted to re-authenticate.

Bearer Token Authentication

For servers that use static API keys or bearer tokens, set authType to "bearer":
When you first use this source, you’ll be prompted for your API key:
Credentials are stored encrypted locally in ~/.craft-agent/credentials.enc, not in your configuration files.

Public Servers

For servers that don’t require authentication, set authType to "none":
No additional configuration needed.

Local Servers (Stdio)

Local servers using stdio transport typically don’t require network authentication:
If a local server requires credentials (e.g., database passwords), it typically reads them from environment variables or config files rather than through the MCP authentication flow.

Credential Management

Viewing Stored Credentials

You can’t view the actual credential values, but you can see what’s stored:
Shows credential scopes like:

Removing Credentials

To clear credentials for a specific source, delete its entry from the credentials file or remove the source entirely from Settings > Sources. To clear all credentials:

Credential Scoping

Credentials are scoped hierarchically using a 3-part key format:
This means:
  • Different workspaces have separate credentials
  • Removing a source removes its credentials
  • Credentials don’t leak between workspaces

Example: Multiple Auth Types

A workspace with sources using different authentication methods:
  • GitHub - OAuth, opens browser for login
  • Exa Search - Bearer, prompts for API key
  • File System - Stdio, no network auth needed
  • Public API - none, no auth required

Troubleshooting Authentication

  • Check your default browser is working
  • Ensure GUI access is available from the terminal
  • Firewall may be blocking the local callback server
  • Verify the token has required permissions/scopes
  • Check if the token has expired
  • Confirm the server URL is correct
  • Ensure authType matches what the server expects
  • Token may have been revoked
  • Credentials file may have been corrupted
  • Remove the source in Settings and re-add it to authenticate again
  • Remove the source in Settings > Sources
  • Re-add the source and authenticate with the correct account
  • Check you’re logged into the right account in your browser

Security Best Practices

OAuth tokens can be scoped, revoked, and rotated. Static tokens are harder to manage securely.
Let Craft Agents prompt for tokens rather than storing them in configuration files.
When creating API keys or authorizing OAuth, grant only the permissions the source needs.
For sensitive services, periodically clear and re-enter credentials to ensure they’re current.