Authentication

Growhouse MCP supports two authentication methods:

Method	How it works
OAuth 2.1	Browser-based sign-in. Used by Claude and other MCP clients automatically.
API Key	Bearer token in the `Authorization` header. Create in Settings.

API Keys

Create a key

Go to app.growhouse.co > Settings
Account > MCP Keys for user-scoped keys (access all your workspaces)
Workspace > MCP for workspace-scoped keys (access one workspace)
Click Create Key, copy it immediately

Use the key

Include it as a Bearer token:

curl -X POST https://mcp.growhouse.co \
  -H "Authorization: Bearer mcp_sk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

All API keys start with mcp_sk_.

Manage keys

Revoke: Settings > find the key > delete
Rotate: Create a new key, update your client, delete the old one
Last used: Visible in Settings so you can find stale keys

OAuth 2.1

OAuth is handled automatically by MCP clients like Claude. You don't need to configure anything — just connect via https://mcp.growhouse.co and approve access in your browser.

How it works

Your AI client redirects you to Growhouse to sign in
You approve the requested permissions
Growhouse issues a token pair (access + refresh)
Tokens refresh automatically — no manual intervention

Scopes

Scope	Grants
`canvas:read`	View canvases and elements
`canvas:write`	Create, update, and delete elements
`workspace:read`	View workspace info

Technical details

PKCE: Required (S256 only)
Token lifetime: ~1 hour, auto-refreshed
Refresh tokens: Single-use with rotation
Server metadata: https://mcp.growhouse.co/.well-known/oauth-authorization-server
Dynamic client registration: Supported (RFC 7591)

Security

Keys are SHA-256 hashed at rest — Growhouse never stores raw keys
OAuth tokens are short-lived with automatic rotation
All connections require HTTPS
Rate limiting applies per workspace (100 requests/minute)

Authentication

On this page