# Authentication

The hosted BoldSign MCP Server supports **two authentication models**, and both work on every regional endpoint:

1. **API key authentication** - the simplest option when your MCP client can send custom HTTP headers
2. **OAuth authentication** - best for clients that support interactive sign-in and remote OAuth discovery

## Options

| Method  | Best for                                                                        | What the client sends                  |
| ------- | ------------------------------------------------------------------------------- | -------------------------------------- |
| API key | Clients that support custom headers and teams that want a straightforward setup | `X-API-Key: <your-api-key>`            |
| OAuth   | Clients with built-in remote connector sign-in or OAuth discovery               | `Authorization: Bearer <access-token>` |

## API key authentication

Generate an API key from the BoldSign dashboard and pass it in the X-API-Key header. This is the simplest option for any client that supports custom headers such as coding editors, autonomous pipelines, and direct API calls.

#### Recommended practices

- Store the API key in the client's secure secret or input-variable system whenever possible
- Never hardcode the key in source control
- Rotate the key if it has been exposed or shared incorrectly

{% note %}
Treat API keys like passwords. Create a dedicated key per client or agent with only the permissions it needs. Revoke keys immediately if they are compromised.
{% /note %}

For more information about obtaining and managing API keys, see {% customlink href="/authentication/api-key/" text="BoldSign API key authentication" /%}.

## OAuth authentication

BoldSign's MCP server supports OAuth for clients that manage the authorization flow automatically such as Claude Web Connectors and ChatGPT custom connectors. When you add BoldSign as a connector, the client opens an interactive sign-in flow against the correct BoldSign authorization system for your region. The client handles token acquisition and refresh.

#### How it works

When an OAuth-capable client connects to the hosted MCP endpoint, it can discover the required authorization details and prompt the user to sign in. After sign-in succeeds, the client sends bearer tokens to the MCP endpoint for subsequent tool calls.

For broader OAuth background, see {% customlink href="/authentication/oauth-2-0/" text="BoldSign OAuth 2.0 authentication" /%}.

#### ChatGPT-specific note

Use **OAuth** for ChatGPT. OpenAI's ChatGPT app flow discovers OAuth from the MCP server metadata and does not provide a place to enter a BoldSign API key or `X-API-Key` header for this setup.

## Region

Authentication must stay region-aligned. Use the endpoint from {% customlink href="/boldsign-mcp-server/overview/#production-regional-endpoints" text="Regional Endpoints section" /%} that matches your BoldSign account region.

If your endpoint and account region do not match, you can see authentication failures or unsuccessful downstream tool calls.

## Security and trust note

{% note %}
Treat a BoldSign MCP connection as a high-trust connection to your BoldSign account. Connect only clients and endpoints you recognize, review AI-proposed actions before approving them, and prefer least-privilege credentials where possible. For a first validation, use read-only prompts such as listing templates, contacts, or recent documents before relying on action-oriented tools.
{% /note %}