# Authentication (https://docs.docfork.com/core/authentication)
Choose between API keys or OAuth to authenticate your Docfork MCP connection. Both methods work with [Cabinets](/core/cabinets) for project-scoped documentation.
API Keys [#api-keys]
API keys give you explicit control over authentication. Create separate keys per AI agent for easier debugging and revocation.
Create a key [#create-a-key]
1. Open [app.docfork.com/api-keys](https://app.docfork.com/api-keys)
2. Go to **API Keys**
3. Click **Create Key**
4. Name the key by client or project (for example `cursor-main` or `opencode-agent`)
Keys are shown once and have the pattern `docf_***`.
Use a key in MCP config [#use-a-key-in-mcp-config]
Add your API key to the `DOCFORK_API_KEY` header:
```diff
{
"mcpServers": {
"docfork": {
"url": "https://mcp.docfork.com/mcp",
+ "headers": {
+ "DOCFORK_API_KEY": "YOUR_API_KEY"
+ }
}
}
}
```
Team sharing [#team-sharing]
Share API keys with your team through your workspace. Everyone using the same key gets access to the same [Cabinets](/core/cabinets) and libraries.
Rotate or revoke [#rotate-or-revoke]
* Delete unused keys from **API Keys**
* Create replacement keys before removing active keys
* Keep one key per client when possible for easier debugging and revocation
Key limits [#key-limits]
Free tier currently supports up to **3 API keys** per workspace.
OAuth 2.0 [#oauth-20]
OAuth eliminates key management by handling authentication through your browser. Sign in once, and your client handles token refresh automatically. Use OAuth for quick setup or when you need workspace SSO and shared settings.
OAuth works with remote HTTP connections only. For local MCP connections using stdio transport
(like `npx docfork`), use [API keys](#api-keys) instead. Note that remote connections also support
API keys — OAuth is optional and mainly for convenience.
Quick setup [#quick-setup]
Switch your endpoint from `/mcp` to `/mcp/oauth`:
```diff
{
"mcpServers": {
"docfork": {
- "url": "https://mcp.docfork.com/mcp",
+ "url": "https://mcp.docfork.com/mcp/oauth", // Change to OAuth endpoint
"headers": {
- "DOCFORK_API_KEY": "YOUR_API_KEY" // Remove this line
}
}
}
}
```
Authentication flow [#authentication-flow]
1. Your MCP client connects to the OAuth endpoint
2. Browser opens to Docfork sign-in
3. After authentication, you're redirected back
4. Client automatically refreshes tokens as needed
After configuring the OAuth endpoint, authenticate manually through your client's MCP settings.
Most clients don't auto-authenticate on first connection. For example, in Claude Code: run `/mcp`,
select Docfork, then choose "Authenticate".
Client requirements [#client-requirements]
Your MCP client must support the [MCP OAuth specification](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). If your client doesn't support OAuth, API keys work with all MCP clients.
Choosing a method [#choosing-a-method]
| Use case | Method |
| ---------------------------------- | ---------- |
| Local stdio connections | `API Keys` |
| Quick setup without key management | `OAuth` |
| Per-client key management | `API Keys` |
| Workspace SSO and shared settings | `OAuth` |
| Automation and CI/CD | `API Keys` |
| Avoid manual key rotation | `OAuth` |
| Remote HTTP connections | `Either` |
Both methods work identically with [Cabinets](/core/cabinets) — your authentication method does
not affect documentation scoping.