Authentication

The gateway supports two authentication methods, both using Bearer tokens.

Static Bearer Tokens

Admin-generated tokens for direct API access. The token is hashed (SHA-256) and stored in KV.

Authorization: Bearer {plaintext_token}

The gateway hashes the token and looks up tenant_auth:{sha256_hash} in KV. This resolves to a tenant_id and status.

OAuth-Issued Tokens

For MCP clients (Claude, ChatGPT, Cursor) that connect via the OAuth 2.1 flow:

Client registers via Dynamic Client Registration (POST /oauth/register)
Client redirects user to GET /oauth/authorize
User authenticates with their tenant bearer token
Gateway issues an auth code, exchanged for an access token
Access token is valid for 90 days

MCP Client Configuration

{
  "mcpServers": {
    "ascend-gateway": {
      "url": "https://ascend-gateway-v5.ascendgtm.workers.dev/mcp",
      "transport": "streamable-http"
    }
  }
}

The OAuth flow is automatic — MCP-compatible clients handle DCR and token exchange transparently.

Rate Limits

Endpoint	Limit
API calls (per IP)	30 requests/minute
OAuth DCR (per IP)	5 registrations/hour

Multi-Account

Tenants can have multiple accounts per provider. Pass account_id to target a specific account:

{"domain": "hubspot", "path": "/crm/v3/objects/contacts", "account_id": "kahuna_prod"}

If the tenant has multiple accounts and account_id is omitted, the gateway returns an error listing available accounts.

Static Bearer Tokens​

OAuth-Issued Tokens​

MCP Client Configuration​

Rate Limits​

Multi-Account​

Static Bearer Tokens

OAuth-Issued Tokens

MCP Client Configuration

Rate Limits

Multi-Account