Every request to the MCP server and the REST API is authenticated with an API key. Supported AI connectors can also sign in over OAuth, so there's no key to copy or store.
API keys
Create keys in your dashboard. A key starts with the prefix eq_ and is shown once at creation — copy it then and store it somewhere safe. We only keep a hash, so a lost key can't be recovered; create a new one and delete the old.
Sending your key
Provide the key one of two ways. The Authorization header is preferred.
Authorization header
curl "https://api.equibles.com/v1/stocks/AAPL/prices" \
-H "Authorization: Bearer eq_your_api_key"
Query parameter — useful where you can't set headers (for example an MCP client that only takes a URL):
https://api.equibles.com/v1/stocks/AAPL/prices?api_key=eq_your_api_key
A key in the URL can end up in logs and browser history. Prefer the header, and treat any URL that contains a key as a secret.
OAuth (MCP connectors)
ChatGPT, Claude (web, Desktop, and Code), Cursor, and VS Code can connect to the MCP server without an API key. Paste https://mcp.equibles.com/mcp into the client's connector settings and sign in to Equibles to approve access — the client holds a short-lived OAuth token (refreshed automatically) instead of a key, scoped to read-only data access. Step-by-step for each client is under Connect the MCP server.
Keeping keys safe
- Use a separate key per integration so you can revoke one without affecting the others.
- Keep keys server-side. Never commit them to source control or ship them in client-side code.
- Rotate on a schedule, and immediately if a key may have leaked — delete it in the dashboard and create a new one.
- All requests must be over HTTPS.