# Authentication and authority

> Understand Public REST API keys, signed-in Console sessions, and delegated MCP credentials before integrating EntireFeed.

Canonical: https://entirefeed.com/docs/get-started/authentication

EntireFeed uses separate credentials because each surface represents a different authority model. Select the credential by the route or tool you are calling, not by convenience.

## Authority is surface-specific

Public discovery and estimation are unauthenticated. Public execution and organization-scoped API reads use a Public REST API key. Browser Console actions use a signed-in session. Console MCP uses a separately revocable delegated credential for the current user and organization.

Never substitute one credential for another. Console routes do not accept an `efapi_live_...` key as a browser session, and Public REST routes do not treat an `efmcp_live_...` credential as an API key.

## Handle secrets once

API key and MCP secrets are shown in full when they are created and remain valid until revoked. Store them in a secret manager or local environment variable, name credentials by integration, and revoke credentials that are exposed or no longer needed.

## Credential matrix

| Surface | Credential | Authority |
| --- | --- | --- |
| Public discovery and estimate | `None` | Current public task, model, pricing, and request estimate contracts |
| Public REST execution | `efapi_live_...` | Organization-scoped execution and reads; any active REST key for the organization can access its public operations |
| Signed-in Console | `Session cookie or Console token` | The current user, organization membership, role, and capabilities |
| Console MCP | `efmcp_live_...` | Delegated current-user authority, re-evaluated on every request |

## Public REST API keys

Create keys in [Console](https://console.entirefeed.com) and send them as `Authorization: Bearer efapi_live_...`. The key is organization-scoped, is shown in full once, and should be named and revoked per integration. Public discovery and `POST /v1/estimate` do not require it.

## Signed-in Console sessions

Passwordless email sign-in establishes a browser session for Console routes. The session acts as the current user in the selected organization and is constrained by current membership, role, and capabilities. Do not export the browser cookie as an integration credential.

## Delegated MCP credentials

Create a separate `efmcp_live_...` credential for a trusted MCP client. It delegates the owner's current Console authority and can be revoked independently from browser sessions and REST keys. Membership or role changes take effect when each MCP request resolves.
