Gateway API, headers, and access keys
Reference for the /mcp endpoint, authentication headers (Authorization, X-Org-Id, X-User-Id), access keys, and the per-call identity override.
Endpoint
All MCP traffic uses a single JSON-RPC endpoint over Streamable HTTP. It implements initialize, tools/list, and tools/call.
POST https://<org>.ucl.dev/mcpHeaders
- Authorization: Bearer <access-key> - authenticates the caller (required).
- X-Org-Id: <org> - the workspace/tenant the call is for (multi-tenant agents).
- X-User-Id: <id> - the end user to act as on per-user connectors.
Access keys
Create one access key per agent or client. Each key carries a scope (which servers it can reach), a role, and an optional ABAC policy. Tokens are shown once and stored only as a hash.
Per-call identity override
On "either" connectors, a call may include a reserved "_identity" argument of "org" or "user" to pick the credential for that call. It is stripped before the request reaches the downstream server.
FAQ
How is an access key different from a gateway OAuth token?
An access key is a long-lived bearer credential you mint per agent. A gateway OAuth token is issued to an interactive MCP client after a user signs in and consents.
Last updated 2026-06-09