diff --git a/.cursor/mcp.json.example b/.cursor/mcp.json.example index 99ff747..6787b9a 100644 --- a/.cursor/mcp.json.example +++ b/.cursor/mcp.json.example @@ -1,11 +1,11 @@ { - "_comment": "Copy to .cursor/mcp.json (git-ignored) and fill slug + headers. Header names per LIVE-POC.md (confirmed in Task 1.1). Use your own user_id value.", + "_comment": "Copy to .cursor/mcp.json (git-ignored) and fill the gateway slug + your user_id. Headers confirmed from Arcade docs (see LIVE-POC.md).", "mcpServers": { "arcade-eval": { "url": "https://api.arcade.st.dev/mcp/", "headers": { "Authorization": "Bearer ${ARCADE_API_KEY}", - "": "" + "Arcade-User-ID": "" } } } diff --git a/LIVE-POC.md b/LIVE-POC.md index cf08130..3c683dc 100644 --- a/LIVE-POC.md +++ b/LIVE-POC.md @@ -40,7 +40,10 @@ Self-hosted on `backstage-wus2-v4` via Flux; vendor Helm chart **1.8.8** ## Live fixtures (filled in Phase 1) - **Project:** _TBD (Task 1.1)_ - **API key:** _label / last-4 only — never the key (Task 1.1)_ -- **Headless auth header convention:** _confirmed in Task 1.1_ +- **Headless auth header convention (confirmed via Arcade docs 2026-06-18):** MCP gateway calls use + `Authorization: Bearer ` + `Arcade-User-ID: `. The user_id is any stable + string (an email works); this mode is for clients without browser auth / token refresh. Self-hosted + gateway URL: `https://api.arcade.st.dev/mcp/`. (Source: docs.arcade.dev call-tool-client.) - **Baseline gateway:** _slug + tool allow-list (Task 1.2)_ - **Shared reference server:** _name + tools echo/whoami/add (Task 1.4)_ - **`whoami` identity field:** _exact field the server reads (Task 1.4 / 2.4)_ diff --git a/config/.env.example b/config/.env.example index 2210876..a95c69b 100644 --- a/config/.env.example +++ b/config/.env.example @@ -12,5 +12,7 @@ ARCADE_API_KEY= ARCADE_USER_A=user-a@servicetitan.com ARCADE_USER_B=user-b@servicetitan.com -# The exact header name(s) for API-key + user_id on MCP calls are CONFIRMED live in Task 1.1 -# and recorded in LIVE-POC.md — do not guess them in code. +# Confirmed headless auth (Arcade docs) — MCP gateway calls send: +# Authorization: Bearer ${ARCADE_API_KEY} +# Arcade-User-ID: (any stable string; an email works) +# See LIVE-POC.md.