DocsGet startedAuthentication
Credential boundaries

Authentication and authority

Understand Public REST API keys, signed-in Console sessions, and delegated MCP credentials before integrating EntireFeed.

On this page

EntireFeed uses separate credentials because each surface represents a different authority model. Select the credential by the route or tool you are calling, not by convenience.

Authority is surface-specific

Public discovery and estimation are unauthenticated. Public execution and organization-scoped API reads use a Public REST API key. Browser Console actions use a signed-in session. Console MCP uses a separately revocable delegated credential for the current user and organization.

Never substitute one credential for another. Console routes do not accept an efapi_live_... key as a browser session, and Public REST routes do not treat an efmcp_live_... credential as an API key.

Handle secrets once

API key and MCP secrets are shown in full when they are created and remain valid until revoked. Store them in a secret manager or local environment variable, name credentials by integration, and revoke credentials that are exposed or no longer needed.

01

Credential matrix

SurfaceCredentialAuthority
Public discovery and estimateNoneCurrent public task, model, pricing, and request estimate contracts
Public REST executionefapi_live_...Organization-scoped execution and reads; any active REST key for the organization can access its public operations
Signed-in ConsoleSession cookie or Console tokenThe current user, organization membership, role, and capabilities
Console MCPefmcp_live_...Delegated current-user authority, re-evaluated on every request
02

Public REST API keys

Public RESTAuthorization: Bearer efapi_live_...

Create keys in Console. A key is scoped to one organization, displayed in full once, and independently revocable. Public discovery and estimation do not require it; execution and organization reads do.

03

Signed-in Console sessions

Signed-in ConsoleHTTP-only browser session

Passwordless email sign-in establishes the current user and selected organization. Console applies the user's current membership, role, and capabilities. Do not export the browser cookie as an integration credential.

04

Delegated MCP credentials

Console MCPAuthorization: Bearer efmcp_live_...

MCP credentials delegate the owner's current Console authority and can be revoked separately. User role changes, membership removal, organization deletion, and revocation affect access when each request resolves.