OAuth vs. API key authentication
This page documents the two authentication mechanisms supported by the Cryptohopper Market Data MCP — OAuth 2.0 and bearer-token (API key) authentication — and explains when to choose each.
Authentication methods supported by the MCP
The Cryptohopper Market Data MCP supports two authentication mechanisms:
- OAuth 2.0— a browser-based authorisation flow. No long-lived secret is stored in the client config; the MCP client handles the token exchange and refresh on your behalf.
- Bearer token (API key)— a long-lived key, generated through the Cryptohopper account interface, passed in the Authorization header of every MCP request:
Both mechanisms are first-class and supported on an ongoing basis. You can switch between them at any time by updating your client configuration. For the full account and key model, see account overview.
For client-specific setup steps, see:
- How to set up the Cryptohopper MCP in Claude Code
- How to set up the Cryptohopper MCP in Codex
- How to set up the Cryptohopper MCP in the Claude desktop app
What OAuth is, briefly
OAuth 2.0 is a delegated authorisation protocol in which a user grants a client application limited access to their account, without sharing credentials. The client is issued a token that represents the grant.
Typical OAuth flows involve:
- A user-driven authorisation step (the user clicks "Allow" in a browser).
- A redirect with an authorisation code.
- A token exchange step that produces an access token (and optionally a refresh token).
The tokens are scoped (the grant specifies which permissions are given), time-limited, and revocable.
When to use OAuth with the MCP
OAuth is generally the better choice when:
- You are setting up the MCP in an interactive client (Claude Code, Codex, the Claude desktop app) on a device where you can complete a browser-based sign-in.
- You prefer not to store a long-lived secret in a config file.
- You want short-lived access tokens that the client refreshes automatically.
- You may revoke access for a specific device or client without affecting other integrations.
Because OAuth tokens are short-lived and refreshed automatically, OAuth tends to be the lower-maintenance option for day-to-day use on personal machines.
When to use an API key with the MCP
A bearer-token API key is generally the better choice when:
- The integration is machine-to-machine: scripts, CI jobs, agents, or any unattended automation where a browser-based sign-in is not practical.
- You want to issue multiple keys for segmentation within a single account (e.g., one per script or environment).
- Simplicity of setup matters more than token rotation: a single copy-paste of the key into the client config is sufficient.
- The deployment target cannot easily complete an interactive OAuth flow (headless servers, containers, etc.).
Comparison
| Axis | API key (bearer token) | OAuth 2.0 |
|---|---|---|
| Setup complexity | Low — paste key into config | Browser-based authorisation flow |
| Typical actor | Scripts, CI, agents, unattended automation | Interactive clients on a personal device |
| Token lifetime | Long-lived until revoked | Access tokens short-lived, refreshed automatically |
| Secret stored in client config | Yes (the key) | No |
| Revocation | Per-key, immediate | Per-grant, immediate |
| User-in-the-loop for issuance | No — user generates key directly | Yes — authorisation step required |
| Best fit | Headless / automated use | Interactive / personal use |
Using both in the same account
A single Cryptohopper account can use OAuth and bearer-token authentication side by side. For example, you might use OAuth in Claude Code on your laptop while running a scheduled agent in CI that authenticates with a long-lived API key. The two mechanisms are issued, rotated, and revoked independently.
Related Cryptohopper products
Other Cryptohopper products may use different authentication mechanisms. The Cryptohopper REST Trading API uses its own credential scheme, which is separate from MCP authentication. See Combine MCP + Cryptohopper Trading API for end-to-end agents for how the two are used together.
A single Cryptohopper account can hold MCP credentials (OAuth grants and/or bearer-token keys) alongside Trading API credentials. All are managed independently.
