servicetitan/arcade-eval
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: record confirmed headless auth headers (Authorization + Arcade-User-ID)

Browse Source
This commit is contained in:
iztaylor
2026-06-18 10:13:15 -04:00
parent b776157c95
commit dfc7f6a589
3 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.cursor/mcp.json.example
+2 -2
View File
@@ -1,11 +1,11 @@
{ {
"_comment": "Copy to .cursor/mcp.json (git-ignored) and fill slug + headers. Header names per LIVE-POC.md (confirmed in Task 1.1). Use your own user_id value.", "_comment": "Copy to .cursor/mcp.json (git-ignored) and fill the gateway slug + your user_id. Headers confirmed from Arcade docs (see LIVE-POC.md).",
"mcpServers": { "mcpServers": {
"arcade-eval": { "arcade-eval": {
"url": "https://api.arcade.st.dev/mcp/<slug>", "url": "https://api.arcade.st.dev/mcp/<slug>",
"headers": { "headers": {
"Authorization": "Bearer ${ARCADE_API_KEY}", "Authorization": "Bearer ${ARCADE_API_KEY}",
"<user-id-header>": "<your-user-id>" "Arcade-User-ID": "<your-user-id>"
} }
} }
} }
LIVE-POC.md
+4 -1
View File
@@ -40,7 +40,10 @@ Self-hosted on `backstage-wus2-v4` via Flux; vendor Helm chart **1.8.8**
## Live fixtures (filled in Phase 1) ## Live fixtures (filled in Phase 1)
- **Project:** _TBD (Task 1.1)_ - **Project:** _TBD (Task 1.1)_
- **API key:** _label / last-4 only — never the key (Task 1.1)_ - **API key:** _label / last-4 only — never the key (Task 1.1)_
- **Headless auth header convention:** _confirmed in Task 1.1_ - **Headless auth header convention (confirmed via Arcade docs 2026-06-18):** MCP gateway calls use
`Authorization: Bearer <ARCADE_API_KEY>` + `Arcade-User-ID: <user_id>`. The user_id is any stable
string (an email works); this mode is for clients without browser auth / token refresh. Self-hosted
gateway URL: `https://api.arcade.st.dev/mcp/<slug>`. (Source: docs.arcade.dev call-tool-client.)
- **Baseline gateway:** _slug + tool allow-list (Task 1.2)_ - **Baseline gateway:** _slug + tool allow-list (Task 1.2)_
- **Shared reference server:** _name + tools echo/whoami/add (Task 1.4)_ - **Shared reference server:** _name + tools echo/whoami/add (Task 1.4)_
- **`whoami` identity field:** _exact field the server reads (Task 1.4 / 2.4)_ - **`whoami` identity field:** _exact field the server reads (Task 1.4 / 2.4)_
config/.env.example
+4 -2
View File
@@ -12,5 +12,7 @@ ARCADE_API_KEY=
ARCADE_USER_A=user-a@servicetitan.com ARCADE_USER_A=user-a@servicetitan.com
ARCADE_USER_B=user-b@servicetitan.com ARCADE_USER_B=user-b@servicetitan.com
# The exact header name(s) for API-key + user_id on MCP calls are CONFIRMED live in Task 1.1 # Confirmed headless auth (Arcade docs) — MCP gateway calls send:
# and recorded in LIVE-POC.md — do not guess them in code. # Authorization: Bearer ${ARCADE_API_KEY}
# Arcade-User-ID: <user_id> (any stable string; an email works)
# See LIVE-POC.md.