Authentication

The MCP server accepts two authentication methods. Both are passed via the Authorization header.

API keys

The standard method. API keys encode machine-to-machine credentials:

Authorization: Bearer aph_live_YOUR_API_KEY

On each request the server validates the key, extracts the tenant_id, and scopes all queries to your tenant.

JWTs

If you already have a valid JWT from an OAuth token exchange, you can pass it directly:

Authorization: Bearer eyJhbGciOiJSUzI1NiIs...

The JWT must contain:

tenant_id claim
mcp:read in the permissions array
Valid aud matching the Aphelios API audience
Valid iss matching your Auth0 domain

Required scope

All MCP tools require the mcp:read scope. Requests without this scope receive a 403 Forbidden.

Data isolation

Every tool call is scoped to the tenant identified in the token. Row-Level Security enforces this at the database level -- there is no way to access another tenant's data through the MCP server.

Error responses

Status	Meaning
`401`	Missing or invalid token
`403`	Token valid but missing `mcp:read` scope
`429`	Rate limit exceeded (see Rate Limits)

API keys​

JWTs​

Required scope​

Data isolation​

Error responses​

API keys

JWTs

Required scope

Data isolation

Error responses