Skip to main content
Centaur uses different auth patterns by surface:
  • REST uses partner API keys.
  • MCP prefers OAuth in supported clients.
  • MCP still accepts legacy API-key auth during the migration window when a client cannot complete the OAuth flow yet.

Access model

REST

REST remains unchanged: 
x-api-key: <partner-api-key>
Use REST when you want direct HTTP control or a backend integration.

MCP preferred path

For MCP, the preferred setup is:
  1. Add the plain MCP server URL: https://partners.centaur.io/mcp
  2. Let the client discover the protected resource and authorization-server metadata
  3. Let the client dynamically register itself if it needs a new OAuth client
  4. Sign in to Centaur in the browser when prompted
  5. Approve the requested MCP access scopes
The current eligibility rule for MCP OAuth is the same one Centaur already uses for partner access today: the signed-in user must already have active partner API key access.

Read scopes

Each endpoint family and MCP capability family uses the matching read scope:
  • events.read for events
  • messages.read for messages
  • positions.read for open and closed position reads
  • directory.read for trader and asset discovery
  • stats.read for trader and asset stats
Centaur may provision one account or key with multiple read scopes.

MCP compatibility fallback

If your client cannot complete the OAuth flow yet, MCP also accepts:
  • Authorization: Bearer <partner-api-key> when the client supports custom headers
  • https://partners.centaur.io/mcp?api_key=<partner-api-key> only when the client cannot send MCP auth headers at all
Keep OAuth as the default whenever the client supports it. For Claude specifically, the default path is also the plain-URL DCR flow; provisioned or Anthropic-held client credentials are fallbacks for workspaces that require them.

OpenAI API note

This page covers interactive MCP clients such as ChatGPT and Codex. Some OpenAI API-side MCP integrations may still require your application to obtain and supply an OAuth access token directly instead of relying on an interactive browser flow.

REST example

curl -s 'https://partners.centaur.io/api/v1/events?limit=10' \
  -H 'x-api-key: <partner-api-key>'

MCP compatibility example

curl -s 'https://partners.centaur.io/mcp' \
  -H 'accept: application/json, text/event-stream' \
  -H 'content-type: application/json' \
  -H 'authorization: Bearer <partner-api-key>' \
  -d '{"jsonrpc":"2.0","id":"tool-call-1","method":"tools/call","params":{"name":"list_events","arguments":{"limit":10}}}'

Notes

  • REST stays on API keys in v1.
  • MCP OAuth is gated to the same users who currently have partner access today.
  • ?api_key= is MCP-only and exists as a compatibility fallback for clients that cannot send auth headers or cannot complete OAuth yet.
  • Some results may be omitted rather than returned with a warning when they fall outside the current access or eligibility rules.
  • Swagger at https://partners.centaur.io/api/v1/docs is a secondary technical reference, not the canonical docs surface.
Last modified on April 20, 2026