Authentication

API keys — REST API

Get your API key from Dashboard → API Keys. Pass it in every request using either the X-Api-Key header (recommended) or a Bearer token:

Option 1 — X-Api-Key header (recommended)

X-Api-Key: YOUR_API_KEY

Option 2 — Authorization: Bearer

Authorization: Bearer YOUR_API_KEY

Both methods are equivalent. Use X-Api-Key when your HTTP client or framework makes it easier to set a plain header. Use Authorization: Bearer for compatibility with tools that expect the standard HTTP auth header.

Key prefixes

OAuth — MCP server

The MCP server uses OAuth 2.0 rather than API keys. This gives your AI agent user-delegated access — it acts on behalf of your account without you embedding a long-lived secret in a config file.

The first time your MCP client connects to https://mcp.companylens.io/mcp:

1. Your client discovers the OAuth server via the MCP metadata endpoint.
2. A browser window opens for you to log in to CompanyLens.
3. After login, the access token is stored by your client — you won't be prompted again until it expires.

Clients that support Dynamic Client Registration (DCR) — including Claude Desktop — handle this automatically. Others use the standard authorization code flow.

Security

• Never expose your API key in client-side code — it will be visible in browser DevTools.
• Rotate keys from Dashboard → API Keys — the old key is invalidated immediately on rotation.
• Keys are scoped to your account. There are no per-endpoint restrictions.
• If you suspect a key has been compromised, rotate it immediately — there is no delay.

Troubleshooting