Authentication
Hoist Assets has two authentication surfaces. REST API and CLI calls use bearer tokens. MCP clients obtain bearer tokens through OAuth consent after a signed-in human approves access.
REST API and CLI bearer tokens
Section titled “REST API and CLI bearer tokens”Every API request except GET /v1/_health needs a bearer token.
Authorization: Bearer $HOIST_TOKENThe CLI can use the same token with --token or the HOIST_TOKEN environment variable. There is no separate CLI key flow.
MCP OAuth consent
Section titled “MCP OAuth consent”MCP clients use OAuth consent. A human approves the scopes the AI client can use, and Hoist stores the approval, billing checks, and audit events server-side.
Use this issuer and route set:
| Route | Purpose |
|---|---|
https://mcp.assets.hoistai.com/.well-known/oauth-authorization-server | OAuth metadata |
https://mcp.assets.hoistai.com/oauth/register | Dynamic client registration |
https://mcp.assets.hoistai.com/oauth/authorize | Human approval |
https://mcp.assets.hoistai.com/oauth/token | Token exchange |
https://mcp.assets.hoistai.com/oauth/revoke | Disconnect or revoke |
https://mcp.assets.hoistai.com/mcp | Protected MCP endpoint |
Scopes
Section titled “Scopes”Tokens and approvals are limited to the scopes granted at issue time.
ppsr:search.orgppsr:search.serialabn:lookupgst:statusassets:receiptsmcp:account.receipts
Human dashboard sign-in
Section titled “Human dashboard sign-in”Human account pages use browser sessions. API, CLI, and MCP calls use bearer tokens with explicit scopes, so keep machine-client tokens separate from browser sign-in state.