Authentication Guide

MCP requests use API key auth via Authorization: Bearer tns_.... Keys are workspace-scoped and user-attributed.

The full key is displayed exactly once on creation. Tensient stores only a SHA-256 hash and a short prefix for UI display.

Revoke keys in Settings → Developer. Revoked keys are rejected immediately and can no longer call the MCP endpoint.

Security best practices: never commit keys, keep one key per client, rotate regularly, and revoke leaked keys immediately.