Skip to main content

auth.md

This document describes how autonomous agents authenticate with the Dakota Platform API. It follows the auth.md agent-registration discovery convention. Dakota Platform does not expose an OAuth authorization server for third-party agents. Programmatic access is provisioned through API keys created in the Dakota Platform dashboard, so the OAuth metadata files (/.well-known/oauth-protected-resource, /.well-known/oauth-authorization-server) are not the canonical entrypoint for agent registration. Use the instructions below.

Agent audience

  • Resource: https://api.platform.dakota.xyz (production), https://api.platform.sandbox.dakota.xyz (sandbox)
  • Documentation: https://docs.dakota.xyz
  • OpenAPI specification: https://docs.dakota.xyz/openapi.json
  • MCP server: https://mcp.platform.dakota.xyz/mcp (production, HTTPS only)

Registration

To provision credentials for an agent, a Dakota Platform account is required.
  1. Request a Dakota Platform account. New customers and partners contact the Dakota team at https://dakota.xyz/talk-to-sales. Existing customers can invite additional users from the dashboard.
  2. Sign in to the dashboard.
  3. Create an API key. Open the API keys section in the sidebar, click Create New API Key, and give it a descriptive name (e.g. agent-prod-ingest). The key value is shown only once — copy it immediately into the agent’s secret store.
  4. Scope the key. The key inherits the permissions of the user that created it. Create a dedicated user with least-privilege access for production agents.
  5. Revocation. Keys can be revoked at any time from the same dashboard view. Rotate keys on a schedule appropriate to the agent’s blast radius.
There is no machine-to-machine self-service registration endpoint. All key issuance is gated on a Dakota Platform account.

Supported authentication methods

MethodResourceNotes
API key (x-api-key header)REST API (api.platform.dakota.xyz)Primary mechanism. Required on every request.
API key as Bearer tokenMCP server (mcp.platform.dakota.xyz/mcp)Same key, passed as Authorization: Bearer <key> on MCP registration. Recommended for AI clients.
OAuth 2.1 (Stytch)MCP server onlyBrowser-based sign-in restricted to allowlisted internal Google domains. Not available to external agents.
API keys are base64-encoded strings, exactly 60 characters (e.g. AHGlPZaxDSMz8Wf1l8VRH4ObdbHiKsWFWnmRyHtiwAc=).

Applying credentials

REST API

All requests require the x-api-key header: 
GET /customers HTTP/1.1
Host: api.platform.dakota.xyz
x-api-key: AHGlPZaxDSMz8Wf1l8VRH4ObdbHiKsWFWnmRyHtiwAc=
Content-Type: application/json
POST, PUT, and PATCH requests additionally require an x-idempotency-key header containing a unique UUID per request. See API Keys & Headers for full examples in cURL, JavaScript, Python, Go, Rust, and Java.

MCP server

Register the Dakota MCP server with your AI client using the API key as a Bearer token: 
{
  "mcpServers": {
    "dakota": {
      "url": "https://mcp.platform.dakota.xyz/mcp",
      "headers": {
        "Authorization": "Bearer AHGlPZaxDSMz8Wf1l8VRH4ObdbHiKsWFWnmRyHtiwAc="
      }
    }
  }
}
See MCP Server for client-specific setup (Claude Desktop, Cursor, ChatGPT).

Security expectations

  • Transport: HTTPS only. Plain HTTP requests are rejected.
  • Storage: Treat API keys as production secrets. Store them in a secret manager, never in source control.
  • Rotation: Rotate keys when an agent’s deployment changes hands or on a fixed cadence (90 days recommended).
  • Rate limits: See Rate Limiting.
  • Incident response: Compromised keys should be revoked immediately from the dashboard and a new key issued.
For broader guidance, see the Security page.

Contact