Skip to main content

Authentication and Headers

Use authentication settings to tell InstaMCP how to call your API.

Supported Patterns

Common options include:

  • Bearer token.
  • API key in a single header.
  • OAuth2.
  • Custom header.
  • Multiple custom headers.
  • Dynamic visitor token through double-hop authentication.

Bearer Token

Use Bearer token when your API expects:

Authorization: Bearer YOUR_TOKEN

Choose Bearer Token and provide the token value.

API Key Header

Use API key when your API expects a named header, for example:

X-API-Key: YOUR_API_KEY

Choose API Key and enter the header name and key.

Custom Headers

Use custom headers when your API requires one or more fixed headers.

Examples:

X-Client-Id: abc123
X-Environment: production

Only add headers your API needs. Do not add visitor-specific secrets here.

OAuth2

Use OAuth2 only when your workspace and API flow are configured for it. If you are unsure which OAuth2 flow your API uses, contact support or your API owner before publishing.

Dynamic Visitor Auth

Use Double-Hop Authentication when API calls must run as the current visitor of your website or app.

Do not store individual visitor tokens as static bridge secrets.

Choosing the Right Option

API requirementUse
Same server token for every requestBearer token or API key
Multiple fixed headersCustom headers
Token changes per website visitorDouble-hop authentication
Enterprise identity flowContact support

Verification Checklist

  • A test tool call succeeds.
  • The API receives the expected headers.
  • Static keys are not exposed to the browser.
  • Visitor-specific auth uses double-hop instead of static settings.