Issue scoped API keys
Provision API keys per assistant. Keys inherit organization-level rate limits and can be revoked without touching human access.
Security
Authentication and session management
Secure MCP traffic with Auth0-issued tokens and short-lived API keys dedicated to assistants.
Adopt OAuth flows when needed
For assistants that run in the browser, use Auth0's Client Credentials flow to trade a machine identity for Source Parts access tokens.
export const mcpAuth = {
provider: "auth0",
audience: "https://api.source.parts",
tokenEndpoint: "https://sourceparts.us.auth0.com/oauth/token",
};