REST API and CLI bearer tokens
Every API request except GET /v1/_health needs a bearer token. Direct REST API calls and CLI jobs use Hoist Assets API keys.
Authorization: Bearer $HOIST_ASSETS_API_KEYCredential handling. Treat bearer tokens like passwords. Keep them server-side and out of browser code, public repos, screenshots, prompts, and analytics payloads.
The CLI can use the same key with --token or HOIST_ASSETS_API_KEY. There is no separate CLI key flow.
MCP OAuth consent
MCP clients use OAuth consent. A signed-in human approves the scopes the AI client can use, and Hoist stores the approval, billing checks, and audit events server-side.
| Route | Purpose |
|---|---|
https://mcp.assets.hoistai.com/.well-known/oauth-authorization-server | OAuth metadata. |
https://mcp.assets.hoistai.com/oauth/register | Dynamic client registration. |
https://mcp.assets.hoistai.com/oauth/authorize | Human approval. |
https://mcp.assets.hoistai.com/oauth/token | Token exchange. |
https://mcp.assets.hoistai.com/oauth/revoke | Disconnect or revoke. |
https://mcp.assets.hoistai.com/mcp | Protected MCP endpoint. |
Scopes
Tokens and approvals are limited to the scopes granted at issue time.
ppsr:search.orgppsr:search.serialabn:lookupgst:statusassets:receiptsexports:writeassets:monitormcp:account.receipts
Human dashboard sign-in
Human account pages use browser sessions. API, CLI, and MCP calls use bearer tokens with explicit scopes, so keep machine-client tokens separate from browser sign-in state.
Use the right surface. Use API keys for products and backend jobs, OAuth for MCP agent hosts, and browser sign-in only for human account pages.