Authentication

Attribution.ai supports OAuth + PKCE for connector flows and bearer tokens for direct MCP requests.

OAuth + PKCE (Recommended)

Use OAuth for ChatGPT, Claude, and Gemini connector onboarding. Discovery and token endpoints:

Authorization supports both active web sessions and email/password fallback. For external connector callbacks, redirect_uri is verified against the OAuth client metadata referenced by client_id.

/.well-known/oauth-authorization-server
/.well-known/oauth-protected-resource
POST /api/mcp/authorize
POST /api/mcp/token
POST /api/mcp/register

API Keys

Generate API keys from Settings > API & AI in the dashboard. This is a power-user extension surface, not the primary product workflow. Keys are scoped to a brand/workspace and are shown once at creation.

bash

curl -X POST https://attribution.ai/api/mcp/rpc \
 -H "Content-Type: application/json" \
 -H "Authorization: Bearer atai_your_key_here" \
 -d'{"jsonrpc":"2.0","method":"tools/list","id":1}'

CLI Authentication

The Attribution AI CLI supports OAuth login, service keys, and API keys:

bash

# Browser OAuth (recommended for humans)
attribution auth login

# Service key (recommended for automation)
attribution auth login --service-key atai_svc_xxx

# API key env fallback
export ATTRIBUTION_API_KEY="atai_your_key_here"
attribution tools list

Credential priority: --service-key / --api-keyflag > env vars > saved OAuth session.

Rate Limits

MCP limits are enforced per minute and are calculated from monthly order volume:

Monthly Orders	Rate / Minute	Notes
1 - 5,000	10	Default baseline
5,001 - 25,000	60	Higher throughput for growing stores
25,001+	300	High-volume stores

When rate limited, the API returns HTTP 429 with JSON-RPC error data that includes current usage and your current per-minute rate.

Key Management

Create: Use one key per integration or agent runtime
Revoke: Immediately disables access for any tool using the key

Security Best Practices

Keep your keys safe

Never expose your API key in client-side code or public repositories. Use environment variables to store keys in production.

Rotate keys periodically
Monitor usage in Settings > API & AI
Prefer OAuth for interactive users and API keys for non-interactive workloads

OAuth + PKCE (Recommended)

Use OAuth for ChatGPT, Claude, and Gemini connector onboarding. Discovery and token endpoints:

Authorization supports both active web sessions and email/password fallback. For external connector callbacks, redirect_uri is verified against the OAuth client metadata referenced by client_id.

/.well-known/oauth-authorization-server

/.well-known/oauth-protected-resource

POST /api/mcp/authorize

POST /api/mcp/token

POST /api/mcp/register

API Keys

bash

curl -X POST https://attribution.ai/api/mcp/rpc \
 -H "Content-Type: application/json" \
 -H "Authorization: Bearer atai_your_key_here" \
 -d'{"jsonrpc":"2.0","method":"tools/list","id":1}'

CLI Authentication

The Attribution AI CLI supports OAuth login, service keys, and API keys:

bash

# Browser OAuth (recommended for humans)
attribution auth login

# Service key (recommended for automation)
attribution auth login --service-key atai_svc_xxx

# API key env fallback
export ATTRIBUTION_API_KEY="atai_your_key_here"
attribution tools list

Credential priority: --service-key / --api-keyflag > env vars > saved OAuth session.

Rate Limits

MCP limits are enforced per minute and are calculated from monthly order volume:

Monthly Orders	Rate / Minute	Notes
1 - 5,000	10	Default baseline
5,001 - 25,000	60	Higher throughput for growing stores
25,001+	300	High-volume stores

When rate limited, the API returns HTTP 429 with JSON-RPC error data that includes current usage and your current per-minute rate.