Skip to content

Authentication

The MCP supports two ways to authenticate. Connector sign-in (OAuth) is the default for AI assistants; API keys are for developers calling the service directly.

Connector sign-in (OAuth)

When you add https://mcp.thecoindaily.co/mcp as a connector, your assistant runs a standard OAuth 2.1 flow — there's no token for you to handle:

  1. The client discovers the authorization server from the MCP's protected-resource metadata.
  2. It sends you to the Coin Daily sign-in page (auth.thecoindaily.co) to sign up or log in.
  3. You approve access; the client receives a token and calls the tools on your behalf.

Accounts are managed in Amazon Cognito. Your assistant refreshes the token automatically; you only re-authenticate if you revoke access or it expires.

This path uses Client ID Metadata Documents (CIMD) — the MCP 2025-11-25 client-registration default — so Claude, ChatGPT, and Claude Code all connect without any manual client registration on either side.

Manage your account any time at mcp.thecoindaily.co/account: change preferences, or delete your account (full erasure across our records, Listmonk, and Cognito).

API keys (for developers)

If you're calling the MCP from your own agent, a script, or a backend, a static Bearer key is simpler than the OAuth dance.

Get one at thecoindaily.co/mcp: submit your email, confirm via the link, and your key is shown once on the confirmation page. It looks like:

tcd_aADRNXydl72fJ4qVnx5pjgEUjVypzrY7Rm4-1lHT8zE

Send it as a Bearer header on every request:

Authorization: Bearer tcd_...

Hold it like a password — don't commit it to git or paste it into chats. Lost it? Replace it from your account page (the old key is revoked atomically).

Rate limits & tiers

Limits apply per account (OAuth) or per key, and per IP as a safety net. The free tier is generous enough for interactive use; a pro tier with higher limits is planned.

Free
Requests / minute 60
Requests / day 2,000

When you exceed a limit you'll get an HTTP 429 with a Retry-After header. Back off and retry after the indicated seconds.

Errors

Auth failures return a JSON-RPC error with HTTP 401 and a WWW-Authenticate header pointing at the authorization-server metadata (so compliant clients can start the OAuth flow automatically). Common cases:

HTTP Meaning Fix
401 Missing / invalid / expired credential Re-connect (OAuth) or check your API key
429 Rate limit exceeded Honour Retry-After
5xx Server-side issue Retry with backoff