authentication.mdx

title	Authentication
description	Authenticate API requests with a Bearer API key. Same keys cover REST, MCP, and the CLI. OAuth available for MCP clients with native support.
sidebarTitle	Authentication
icon	key
keywords	rendobar authentication api key bearer token rb_ key mcp oauth rest api auth

<script type="application/ld+json" dangerouslySetInnerHTML={{ __html: JSON.stringify({ "@context": "https://schema.org", "@type": "TechArticle", "@id": "https://rendobar.com/docs/authentication/#article", "headline": "Authentication", "description": "Authenticate API requests with a Bearer API key. Same keys cover REST, MCP, and the CLI.", "datePublished": "2026-03-20", "dateModified": "2026-05-24", "author": { "@type": "Organization", "@id": "https://rendobar.com/#organization" }, "publisher": { "@type": "Organization", "@id": "https://rendobar.com/#organization" }, "isPartOf": { "@id": "https://rendobar.com/#website" } }) }} /> Every Rendobar API request needs an API key in the `Authorization` header: ```bash curl https://api.rendobar.com/jobs \ -H "Authorization: Bearer rb_YOUR_KEY" ``` Keys start with `rb_`. Get one from [app.rendobar.com](https://app.rendobar.com) → **Settings → API keys**. ## Three credential types | Type | Where to use it | |---|---| | **API key** (`rb_*`) | REST API, MCP, CLI in CI | | **Session cookie** (`rb_session`) | Dashboard browser sessions only (set automatically when you sign in) | | **OAuth 2.1 token** | MCP clients with native OAuth support, or the CLI's `rb login` browser flow | ## Use a key ```bash cURL curl https://api.rendobar.com/jobs \ -H "Authorization: Bearer rb_YOUR_KEY" ``` ```javascript JavaScript const res = await fetch("https://api.rendobar.com/jobs", { headers: { "Authorization": "Bearer rb_YOUR_KEY" }, }); ``` ```python Python import requests res = requests.get( "https://api.rendobar.com/jobs", headers={"Authorization": "Bearer rb_YOUR_KEY"}, ) ``` ## Manage keys Keys are scoped to an organization, not a user. Each key has a name. There's no per-org limit on the number of keys. ```bash # Create curl -X POST https://api.rendobar.com/api-keys \ -H "Authorization: Bearer rb_EXISTING_KEY" \ -H "Content-Type: application/json" \ -d '{ "name": "CI Pipeline" }' # Revoke curl -X DELETE https://api.rendobar.com/api-keys/KEY_ID \ -H "Authorization: Bearer rb_YOUR_KEY" ``` Revoked keys return `401 UNAUTHORIZED` immediately. ## Auth context Every authenticated request resolves to: - `userId`: the authenticated user (when via session or OAuth) - `orgId`: the active organization - `plan`: current plan; controls [rate limits](/support/limits), allowed job types, [balance](/concepts/credits) Used for rate limiting, plan enforcement, and credit checks on every request. ## OAuth for MCP MCP clients that speak OAuth 2.1 natively can register dynamically and run a PKCE flow against Rendobar's authorization server. Tokens are scoped to the user's organization. See [MCP overview](/mcp/overview) for setup. API keys are simpler and recommended for non-interactive integrations. ## Errors ```json { "error": { "code": "UNAUTHORIZED", "message": "Invalid or expired authentication" } } ``` HTTP `401`. Other auth-adjacent errors live in [Error codes](/support/errors). ## See also - [Quickstart](/quickstart) - [CLI authentication](/cli/authentication) - [MCP overview](/mcp/overview) - [Error codes](/support/errors) ## Related - [Quickstart](/quickstart): submit your first job in under five minutes - [CLI authentication](/cli/authentication): `rb login` browser flow and CI key usage - [MCP overview](/mcp/overview): how API keys and OAuth work for AI agents - [Plan limits](/support/limits): rate limits and concurrency by plan - [Pricing](https://rendobar.com/pricing/): Free vs Pro and credit packs