Authentication
The LoomBrain MCP server supports two authentication methods: OAuth 2.1 (default) and API keys (fallback for non-interactive environments).
OAuth 2.1 (default)
Section titled “OAuth 2.1 (default)”OAuth 2.1 is the primary authentication method. It requires no manual token management.
How it works:
- On the first MCP request from a new client, the server returns an authorization challenge.
- The client opens a browser window redirecting to
https://app.loombrain.com/oauth/authorize. - You sign in with Google (or email/password).
- The authorization server issues an access token (short-lived) and a refresh token (long-lived).
- In Claude Code and Claude Desktop, tokens are stored in the system keychain (Keychain on macOS, Secret Service on Linux, Credential Manager on Windows). Third-party MCP clients may store tokens differently.
- The access token is attached automatically to every subsequent MCP request.
- When the access token expires, the client uses the refresh token to obtain a new one silently.
You are prompted to sign in once. After that, the token lifecycle is fully automatic.
API key fallback
Section titled “API key fallback”API keys are useful when browser-based OAuth is not feasible — for example, in CI pipelines or headless remote environments.
Generate a key:
- Open app.loombrain.com and go to Settings > API Keys.
- Click New API Key, give it a name, and copy the key value.
The key is shown only once. Store it in a secrets manager or environment variable.
Configure the client:
Pass the key as an HTTP header in your MCP client configuration. The header name is Authorization with a Bearer prefix:
Authorization: Bearer lb_key_...Refer to your client’s documentation for where to specify custom request headers. For most clients that support .mcp.json, this is done via a headers field:
{ "mcpServers": { "loombrain": { "type": "url", "url": "https://mcp.loombrain.com/mcp", "headers": { "Authorization": "Bearer lb_key_..." } } }}API keys do not expire but can be revoked at any time from the dashboard.