Authentication

Attribution.ai supports OAuth + PKCE for connector flows and bearer tokens for direct MCP requests.

OAuth + PKCE (Recommended)

Use OAuth for ChatGPT, Claude, and Gemini connector onboarding. Discovery and token endpoints:

/.well-known/oauth-authorization-server
/.well-known/oauth-protected-resource
POST /api/mcp/authorize
POST /api/mcp/token
POST /api/mcp/register

API Keys

Generate API keys from Connect Your AI in the dashboard. Keys are scoped to a brand/workspace and are shown once at creation.

bash

curl -X POST https://attribution.ai/api/mcp/rpc \
 -H "Content-Type: application/json" \
 -H "Authorization: Bearer atai_your_key_here" \
 -d'{"jsonrpc":"2.0","method":"tools/list","id":1}'

CLI Authentication

The Attribution AI CLI supports OAuth login, service keys, and API keys:

bash

# Browser OAuth (recommended for humans)
attribution auth login

# Service key (recommended for automation)
attribution auth login --service-key atai_svc_xxx

# API key env fallback
export ATTRIBUTION_API_KEY="atai_your_key_here"
attribution tools list

Credential priority: --service-key / --api-key flag > env vars > saved OAuth session.

Rate Limits

MCP limits are enforced per minute and are calculated from monthly order volume:

Monthly Orders	Rate / Minute	Notes
1 - 5,000	10	Default baseline
5,001 - 25,000	60	Higher throughput for growing stores
25,001+	300	High-volume stores

When rate limited, the API returns HTTP 429 with JSON-RPC error data that includes current usage and your current per-minute rate.

Key Management

Create: Use one key per integration or agent runtime
Revoke: Immediately disables access for any tool using the key

Security Best Practices

Keep your keys safe

Never expose your API key in client-side code or public repositories. Use environment variables to store keys in production.

Rotate keys periodically
Monitor usage on the Connect Your AI dashboard
Prefer OAuth for interactive users and API keys for non-interactive workloads

Authentication

Attribution.ai supports OAuth + PKCE for connector flows and bearer tokens for direct MCP requests.

OAuth + PKCE (Recommended)

Use OAuth for ChatGPT, Claude, and Gemini connector onboarding. Discovery and token endpoints:

/.well-known/oauth-authorization-server
/.well-known/oauth-protected-resource
POST /api/mcp/authorize
POST /api/mcp/token
POST /api/mcp/register

API Keys

Generate API keys from Connect Your AI in the dashboard. Keys are scoped to a brand/workspace and are shown once at creation.

bash

curl -X POST https://attribution.ai/api/mcp/rpc \
 -H "Content-Type: application/json" \
 -H "Authorization: Bearer atai_your_key_here" \
 -d'{"jsonrpc":"2.0","method":"tools/list","id":1}'

CLI Authentication

The Attribution AI CLI supports OAuth login, service keys, and API keys:

bash

# Browser OAuth (recommended for humans)
attribution auth login

# Service key (recommended for automation)
attribution auth login --service-key atai_svc_xxx

# API key env fallback
export ATTRIBUTION_API_KEY="atai_your_key_here"
attribution tools list

Credential priority: --service-key / --api-key flag > env vars > saved OAuth session.

Rate Limits

MCP limits are enforced per minute and are calculated from monthly order volume:

Monthly Orders	Rate / Minute	Notes
1 - 5,000	10	Default baseline
5,001 - 25,000	60	Higher throughput for growing stores
25,001+	300	High-volume stores

When rate limited, the API returns HTTP 429 with JSON-RPC error data that includes current usage and your current per-minute rate.

Key Management

Create: Use one key per integration or agent runtime
Revoke: Immediately disables access for any tool using the key

Security Best Practices

Keep your keys safe

Never expose your API key in client-side code or public repositories. Use environment variables to store keys in production.

Rotate keys periodically
Monitor usage on the Connect Your AI dashboard
Prefer OAuth for interactive users and API keys for non-interactive workloads