Authentication

The hosted BoldSign MCP Server supports two authentication models, and both work on every regional endpoint:

1. API key authentication - the simplest option when your MCP client can send custom HTTP headers
2. OAuth authentication - best for clients that support interactive sign-in and remote OAuth discovery

Generate an API key from the BoldSign dashboard and pass it in the X-API-Key header. This is the simplest option for any client that supports custom headers such as coding editors, autonomous pipelines, and direct API calls.

• Store the API key in the client's secure secret or input-variable system whenever possible
• Never hardcode the key in source control
• Rotate the key if it has been exposed or shared incorrectly

For more information about obtaining and managing API keys, see BoldSign API key authentication.

BoldSign's MCP server supports OAuth for clients that manage the authorization flow automatically such as Claude Web Connectors and ChatGPT custom connectors. When you add BoldSign as a connector, the client opens an interactive sign-in flow against the correct BoldSign authorization system for your region. The client handles token acquisition and refresh.

When an OAuth-capable client connects to the hosted MCP endpoint, it can discover the required authorization details and prompt the user to sign in. After sign-in succeeds, the client sends bearer tokens to the MCP endpoint for subsequent tool calls.

For broader OAuth background, see BoldSign OAuth 2.0 authentication.

Use OAuth for ChatGPT. OpenAI's ChatGPT app flow discovers OAuth from the MCP server metadata and does not provide a place to enter a BoldSign API key or X-API-Key header for this setup.

Authentication must stay region-aligned. Use the endpoint from Regional Endpoints section that matches your BoldSign account region.

If your endpoint and account region do not match, you can see authentication failures or unsuccessful downstream tool calls.