Skip to main content
AgentRuntime supports multiple authentication methods depending on whether you use the Console, call the REST API, or connect an IDE through Platform MCP.

Console session (browser)

Sign in at console.agentruntime.io with:
  • Email and password — Requires email verification for new accounts
  • Google OAuth — Sign in with Google or Google One Tap
The BFF issues a session cookie scoped to .agentruntime.io. The Console refreshes tokens automatically. Password reset and change-password flows are at /auth/forgot-password and account settings.

Personal access tokens (PATs)

PATs are the recommended method for scripts, CI pipelines, and Platform MCP.
1

Create a token

In the Console, go to Settings → API keys (/settings?tab=apiKeys). Click Create API key and give the token a descriptive name.
2

Select scopes

Choose the minimum scopes needed:
ScopeGrants
workflow:readList workflows, runs, events
workflow:runStart and control runs
mcp:executeExecute MCP tools in workflow runs
3

Copy the token

The token value is shown once. Store it in a secrets manager.
4

Call the API

Send Authorization: Bearer YOUR_PAT on every request, plus X-Tenant-Id and X-Project-Id for scoped operations.
curl "https://api.agentruntime.io/v1/workflows" \
  -H "Authorization: Bearer ar_pat_..." \
  -H "X-Tenant-Id: acme" \
  -H "X-Project-Id: prod"
PATs are validated against your user identity and project role. A PAT with workflow:run still requires project_contributor on the target project.

Platform MCP

Connect Cursor or other MCP clients to: 
https://mcp.agentruntime.io/mcp
Authenticate with the same PAT used for REST. Platform MCP tools wrap BFF operations — list workflows, trigger runs, manage resources — without crafting raw HTTP.

Google OAuth (API)

Google OAuth for user login uses /v1/auth/oauth/google/*. This is separate from Google connections for Workspace MCP adapters (/v1/connections/google/*).

Inbound webhook signatures

External systems triggering runs via inbound webhooks authenticate with HMAC signatures on the subscription secret — not PATs.

Security practices

  • Rotate PATs on a schedule and revoke unused tokens
  • Use the narrowest scopes that satisfy your automation
  • Never commit tokens to git or embed them in client-side code
  • Tenant admins can enforce domain verification and auth policy for workspace members
If a PAT is exposed, revoke it immediately in the Console and create a new one. Audit recent runs and API activity for unauthorized use.