# Authenticating with Waydock

Waydock exposes a Model Context Protocol (MCP) server so AI agents can read and
act on a user's unified context (mail, meetings, calendar, tasks).

## Authentication model

Waydock uses **per-user bearer API keys**, not OAuth. Each user issues and
revokes their own keys; a key carries an explicit scope set and is audited
per call. Waydock does **not** operate an OAuth authorization server for MCP,
so there is no `/.well-known/oauth-authorization-server` or dynamic client
registration endpoint.

## How a user issues a key

1. Sign in to Waydock and open **Settings → Account → MCP** (https://waydock.ai/settings/account/mcp).
2. Create a key, choosing a scope preset ("Read & email yourself" or "Full
   access") or a custom scope set. Sending email to other people is always a
   separate, explicit opt-in and is never granted by a preset.
3. Copy the key (prefix `wdmcp_`). It is shown once. Keys are revocable at any
   time, and every call is recorded in a per-key audit log.

## Using the key

Send the key as a bearer token on every MCP request:

```
Authorization: Bearer wdmcp_xxxxxxxx
```

The `x-api-key: wdmcp_xxxxxxxx` header is also accepted.

- MCP endpoint: https://waydock.ai/api/mcp/stream (transport: streamable-http)
- Server card: https://waydock.ai/.well-known/mcp/server-card.json
- Manifest (tools + scopes): https://waydock.ai/api/mcp/manifest
- Health: https://waydock.ai/api/mcp/health

## Example client config (Claude Desktop)

```json
{
  "mcpServers": {
    "waydock": {
      "type": "http",
      "url": "https://waydock.ai/api/mcp/stream",
      "headers": { "Authorization": "Bearer YOUR_MCP_KEY" }
    }
  }
}
```

## Scopes

Scopes are namespaced `read:*` / `write:*`. Outbound send requires the literal
`write:mail.send` scope and is wildcard-proof: no preset or wildcard grant can
satisfy it. See the manifest for the full scope catalog and the tools each scope
unlocks.
