Authentication and Headers
Use authentication settings to tell InstaMCP how to call your API.
Supported Patterns
Common options include:
- Bearer token.
- API key in a single header.
- OAuth2.
- Custom header.
- Multiple custom headers.
- Dynamic visitor token through double-hop authentication.
Bearer Token
Use Bearer token when your API expects:
Authorization: Bearer YOUR_TOKEN
Choose Bearer Token and provide the token value.
API Key Header
Use API key when your API expects a named header, for example:
X-API-Key: YOUR_API_KEY
Choose API Key and enter the header name and key.
Custom Headers
Use custom headers when your API requires one or more fixed headers.
Examples:
X-Client-Id: abc123
X-Environment: production
Only add headers your API needs. Do not add visitor-specific secrets here.
OAuth2
Use OAuth2 only when your workspace and API flow are configured for it. If you are unsure which OAuth2 flow your API uses, contact support or your API owner before publishing.
Dynamic Visitor Auth
Use Double-Hop Authentication when API calls must run as the current visitor of your website or app.
Do not store individual visitor tokens as static bridge secrets.
Choosing the Right Option
| API requirement | Use |
|---|---|
| Same server token for every request | Bearer token or API key |
| Multiple fixed headers | Custom headers |
| Token changes per website visitor | Double-hop authentication |
| Enterprise identity flow | Contact support |
Verification Checklist
- A test tool call succeeds.
- The API receives the expected headers.
- Static keys are not exposed to the browser.
- Visitor-specific auth uses double-hop instead of static settings.