- OAuth — you run your own chat platform and provision agents through the AgentCard MCP server. Each end user authorizes access through an OAuth flow.
- API key — your agent acts on a user’s behalf inside a chat interface you don’t own (or you’re not using the MCP server at all). You authenticate with an API key.
The two options
OAuth (MCP server)
Use when you own the chat platform and want to provision agents through the
AgentCard MCP server.You embed the MCP server into your own product — for example a self-hosted chat UI
like Open WebUI or LibreChat — and each end user authorizes access with OAuth 2.1.
AgentCard then acts on behalf of that specific user, per-user and scoped to what they
approved.
API key
Use when your agent performs actions on a user’s behalf but you don’t own the chat
interface, and/or you aren’t using the MCP server.The canonical example is an agent running inside a host you don’t control, such as
Claude Desktop. There’s no chat platform for you to wire OAuth into, so you
authenticate with an API key instead.
When to use which
| OAuth (MCP server) | API key | |
|---|---|---|
| You own the chat interface | Yes — your own chat app (Open WebUI, LibreChat, …) | No — a host you don’t control (e.g. Claude Desktop) |
| Using the AgentCard MCP server | Yes — provision agents through it | No, or not applicable |
| Who authorizes | Each end user, via an OAuth flow | You, with a key scoped to your organization |
| Best for | Embedding AgentCard into a product you operate | Agents running in third-party hosts, or direct REST use |
Next steps
Connect via the MCP server (OAuth)
Point your chat platform at the AgentCard MCP server. Each end user authorizes
access through OAuth.
API key authentication
Set up API keys, modes (
sk_test_ / sk_live_), and authenticated requests.Integration guide
End-to-end flow for issuing cards on behalf of your users via the API.