Every request to the MCP server and the REST API is authenticated with an **API key**. Supported AI connectors can also sign in over **OAuth**, so there's no key to copy or store.

## API keys

Create keys in your [dashboard](/dashboard/apikeys). A key starts with the prefix `eq_` and is shown **once** at creation — copy it then and store it somewhere safe. We only keep a hash, so a lost key can't be recovered; create a new one and delete the old.

## Sending your key

Provide the key one of two ways. The `Authorization` header is preferred.

**Authorization header**

```bash
curl "https://api.equibles.com/v1/stocks/AAPL/prices" \
  -H "Authorization: Bearer eq_your_api_key"
```

**Query parameter** — useful where you can't set headers (for example an MCP client that only takes a URL):

```
https://api.equibles.com/v1/stocks/AAPL/prices?api_key=eq_your_api_key
```

> A key in the URL can end up in logs and browser history. Prefer the header, and treat any URL that contains a key as a secret.

## OAuth (MCP connectors)

ChatGPT, Claude (web, Desktop, and Code), Cursor, and VS Code can connect to the MCP server without an API key. Paste `https://mcp.equibles.com/mcp` into the client's connector settings and sign in to Equibles to approve access — the client holds a short-lived OAuth token (refreshed automatically) instead of a key, scoped to read-only data access. Step-by-step for each client is under [Connect the MCP server](/docs/mcp).

## Keeping keys safe

- Use a separate key per integration so you can revoke one without affecting the others.
- Keep keys server-side. Never commit them to source control or ship them in client-side code.
- Rotate on a schedule, and immediately if a key may have leaked — delete it in the dashboard and create a new one.
- All requests must be over HTTPS.