- API keys — a single secret you send on each request. Best for your own scripts, servers, and backends.
- OAuth 2.1 — an authorization-code flow with PKCE. Best for third-party apps and AI agents that act on a user’s behalf (this is what the MCP server uses).
API keys
Send your key in thex-api-key header:
sl_. Create, list, and revoke them from your account settings in the dashboard — see API tokens and connected apps for a step-by-step walkthrough.
In this first version, an API key carries your full account access. Per-key scopes are on the way — until then, treat every key as fully privileged and prefer OAuth (below) when you need to limit what an integration can do.
OAuth 2.1
For apps and agents acting on behalf of a Streamloop user, use the OAuth 2.1 authorization-code flow with PKCE (S256). Access tokens are ES256 JWTs you then send as a bearer token:https://auth.streamloop.app and supports dynamic client registration (RFC 7591), so agents can register without manual setup. Endpoints are discoverable from standard metadata documents:
Key endpoints:
Scopes
OAuth access tokens are limited to the scopes you request. Ask for the least you need.Trying endpoints in the docs
The Try it playground on each REST endpoint page authenticates with a bearer token (your OAuth access token). To try an endpoint with an API key instead, send the request from your own terminal with thex-api-key header shown above.