Skip to main content
Grapevine supports two authentication methods: API keys for programmatic access to both the REST API and MCP server, and OAuth for human users connecting to MCP through interactive clients.

Choosing an authentication method

Choose the authentication method that best fits your use case:

OAuth

Best for: Human users, desktop MCP clients, interactive sessions
  • Browser-based login flow
  • Automatic token refresh
  • Works only with MCP protocol
  • Access to private data based on authenticated user

API Keys

Best for: Automation, scripts, CI/CD, programmatic access
  • Long-lived tokens
  • Works with both REST API and MCP server
  • Simple Bearer token authentication
  • Public data only - team-scoped access

MCP Server

Grapevine runs as a remote MCP server at https://mcp.getgrapevine.ai. The MCP server supports both OAuth and API key authentication. See the MCP API documentation for complete protocol details and available tools. OAuth provides a seamless authentication experience for human users connecting through MCP clients. The client automatically handles the browser-based login flow.
OAuth authentication enables access to private data based on the authenticated user’s permissions. This allows MCP clients to access personal context that API keys cannot reach.
  • Claude Desktop
  • Python
{
  "mcpServers": {
    "grapevine": {
      "url": "https://mcp.getgrapevine.ai"
    }
  }
}

API Keys (For programmatic access)

For scripts, automation, and programmatic access, use API keys with the Authorization header:
  • Claude Desktop
  • Python
{
  "mcpServers": {
    "grapevine": {
      "url": "https://mcp.getgrapevine.ai",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

REST API

Include your API key in the Authorization header as a Bearer token: 
curl https://api.getgrapevine.ai/v1/ask \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query": "What is our pricing strategy?"}'
See the REST API documentation for complete endpoint details.

Managing API keys

Creating an API key

API keys are currently team-scoped, and only have access to public information in your tenant. For more information on public vs private data, see Privacy
1

Open API Keys page

Navigate to the API Keys page in the Grapevine admin dashboard.
2

Create new key

Click Create API Key and give your key a descriptive name (e.g., “Production Integration”, “Development”).
3

Save your key

Click Create, then copy the key immediately - it will only be shown once.
API keys are shown only once at creation. Store them securely - you won’t be able to see them again.

Viewing keys

You can view all your API keys on the API Keys page. The list shows:
  • Key name
  • Partial key (prefix only)
  • Creation date
  • Last used date

Revoking keys

1

Open API Keys page

Navigate to the API Keys page.
2

Find and delete

Find the key you want to revoke and click the Delete button.
Revoked keys stop working immediately.

Security best practices

Choose the right method

Use OAuth for interactive human sessions through MCP clients. Reserve API keys for automation, scripts, and programmatic access.

Store securely

Store API keys in environment variables or secure credential management systems. Never commit them to version control.

Use descriptive names

Name API keys based on their purpose or environment to make management easier.

Rotate regularly

API Keys don’t expire - make sure you rotate them if there is ever a chance they are compromised (such as team changes).

Ready to get building?

Explore the REST API

Get started quickly with our simple REST API to ask questions of your Company Context

Build an Agent with MCP

Give your agents powerful tools to explore your Company Context

Get real-time updates with Webhooks

Run workflows every time your Company Context changes