Authentication
OAuth for MCP Skills and API keys for direct HTTP public-data calls.
UnifAPI has two authentication paths:
- MCP OAuth for agent workflows and Skills.
- API keys for direct HTTP calls from product code, scripts, or custom runtimes.
OAuth and API keys authorize access to UnifAPI workspace credits. They are not source-provider tokens and do not grant private user-account access on Twitter/X, Google, CRM, or other SaaS platforms.
MCP OAuth
MCP clients should use OAuth when they support it. Add the hosted MCP server URL, authenticate in the browser when the agent first needs tools, and the OAuth token is bound to your UnifAPI workspace:
https://mcp.unifapi.comThe MCP protected resource metadata is available at:
https://mcp.unifapi.com/.well-known/oauth-protected-resourceRequired scope:
unifapi:mcpUsers can browse Skills before registering. Registration happens during the OAuth flow when a client needs to call list_operations, get_operation, or call_api.
See MCP integration for Claude, ChatGPT custom MCP apps, OpenClaw, Hermes, Codex, Claude Code, Cursor, VS Code, and other MCP client setup.
API keys
Direct HTTP API calls authenticate with a single bearer token:
Authorization: Bearer $UNIFAPI_KEY- Keys are workspace-scoped — every team member sees the same usage and billing.
- Keys authorize usage against the workspace credit balance.
- Keys never expire on their own. Revoke and recreate them if you suspect a leak.
Use API keys when you call https://api.unifapi.com directly. Use OAuth when an MCP-capable agent can complete the browser-based flow.
Never commit a live key. Treat it like a password and revoke it from the dashboard if it leaks.
Errors
A 401 means the key is missing, malformed, revoked, disabled, expired, or otherwise invalid:
{
"error": {
"type": "unauthorized",
"message": "Missing or invalid API key."
}
}See Errors for the full vocabulary.