Authentication and authority
Understand Public REST API keys, signed-in Console sessions, and delegated MCP credentials before integrating EntireFeed.
On this page
EntireFeed uses separate credentials because each surface represents a different authority model. Select the credential by the route or tool you are calling, not by convenience.
Authority is surface-specific
Public discovery and estimation are unauthenticated. Public execution and organization-scoped API reads use a Public REST API key. Browser Console actions use a signed-in session. Console MCP uses a separately revocable delegated credential for the current user and organization.
Never substitute one credential for another. Console routes do not accept an efapi_live_... key as a browser session, and Public REST routes do not treat an efmcp_live_... credential as an API key.
Handle secrets once
API key and MCP secrets are shown in full when they are created and remain valid until revoked. Store them in a secret manager or local environment variable, name credentials by integration, and revoke credentials that are exposed or no longer needed.
Credential matrix
NoneCurrent public task, model, pricing, and request estimate contractsefapi_live_...Organization-scoped execution and reads; any active REST key for the organization can access its public operationsSession cookie or Console tokenThe current user, organization membership, role, and capabilitiesefmcp_live_...Delegated current-user authority, re-evaluated on every requestPublic REST API keys
Authorization: Bearer efapi_live_...Create keys in Console. A key is scoped to one organization, displayed in full once, and independently revocable. Public discovery and estimation do not require it; execution and organization reads do.
Signed-in Console sessions
HTTP-only browser sessionPasswordless email sign-in establishes the current user and selected organization. Console applies the user's current membership, role, and capabilities. Do not export the browser cookie as an integration credential.
Delegated MCP credentials
Authorization: Bearer efmcp_live_...MCP credentials delegate the owner's current Console authority and can be revoked separately. User role changes, membership removal, organization deletion, and revocation affect access when each request resolves.