Authentication
Secure access to the Lovelace MCP server
The Lovelace MCP server supports two authentication methods: API keys for simple integrations and OAuth 2.1 for production applications.
API Keys (Recommended for Getting Started)
API keys are the simplest way to authenticate. Pass your key as a Bearer token in the Authorization header.
Creating an API Key
- Go to the API Keys page in your developer dashboard
- Click Create API Key
- Select the scopes you need (
read,write, or both) - Copy and securely store your key
Using API Keys
Include the key in your MCP client configuration:
json
{
"mcpServers": {
"lovelace": {
"type": "streamable-http",
"url": "https://mcp.uselovelace.com/mcp",
"headers": {
"Authorization": "Bearer lv_key_your_api_key_here"
}
}
}
}
Scopes
| Scope | Permissions |
|---|---|
read | List workspaces, get agent status, search knowledge, read resources |
write | Spawn agents, create workspaces, store knowledge |
OAuth 2.1 (Production Applications)
For production applications and custom MCP clients, use the OAuth 2.1 Authorization Code flow with PKCE.
Authorization Flow
- Authorization request — Redirect the user to the Lovelace authorization endpoint
- User consent — The user approves access to their Lovelace account
- Token exchange — Exchange the authorization code for an access token
- Use the token — Pass the access token as a Bearer token in MCP requests
Endpoints
| Endpoint | URL |
|---|---|
| Authorization | https://accounts.uselovelace.com/oauth/authorize |
| Token | https://accounts.uselovelace.com/oauth/token |
| Token Introspection | https://accounts.uselovelace.com/oauth/introspect |
| Revocation | https://accounts.uselovelace.com/oauth/revoke |
Authorization Request
GET https://accounts.uselovelace.com/oauth/authorize
?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=read+write
&code_challenge=PKCE_CHALLENGE
&code_challenge_method=S256
&state=RANDOM_STATE
Token Exchange
bash
POST https://accounts.uselovelace.com/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=AUTHORIZATION_CODE
&redirect_uri=YOUR_REDIRECT_URI
&client_id=YOUR_CLIENT_ID
&code_verifier=PKCE_VERIFIER
Token Response
json
{
"access_token": "lv_at_...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "lv_rt_...",
"scope": "read write"
}
Token Refresh
bash
POST https://accounts.uselovelace.com/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=lv_rt_...
&client_id=YOUR_CLIENT_ID
Security Best Practices
- Store keys securely — Use environment variables or a secrets manager, never commit keys to version control
- Use minimal scopes — Request only the permissions your application needs
- Rotate keys regularly — Generate new API keys periodically and revoke old ones
- Use OAuth for production — API keys are convenient for development, but OAuth provides better security for production deployments
- Monitor usage — Review your API key usage in the developer dashboard to detect unauthorized access
Local Development
When running the MCP server locally via lovelace mcp serve, authentication uses your existing Lovelace CLI session. No additional API key or OAuth setup is required.
See Local Server for details.