> For the complete documentation index, see [llms.txt](https://k-ai.gitbook.io/knowledge-ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://k-ai.gitbook.io/knowledge-ai/authentication/authentication.md). # Overview K-AI exposes three auth surfaces, one per caller type. Backend pipelines use static `instance-id` + `api-key` headers on the KAI Instance API. MCP clients and custom user-level integrations use OAuth 2.1 (Authorization Code + PKCE + Dynamic Client Registration). Browser frontends running under `.kai-studio.ai` use the `kai_auth` HttpOnly cookie. OAuth 2.1 and cookies share the same authorization server (`https://auth-api.kai-studio.ai`) — a token issued via either surface is accepted by both the K-AI Audit and K-AI MCP APIs. ## Choose your auth | Caller type | Auth | Page | | ------------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------- | | Backend pipeline ingesting documents | `instance-id` + `api-key` headers | [Instance API keys](/knowledge-ai/authentication/api-keys.md) | | MCP client (Claude Desktop / Cursor / Le Chat) or custom user-level integration | OAuth 2.1 (Bearer JWT) | [OAuth 2.1](/knowledge-ai/authentication/oauth.md) | | Browser frontend on `.kai-studio.ai` | `kai_auth` HttpOnly cookie | [Cookies](/knowledge-ai/authentication/cookies.md) | The decision rule is straightforward: a machine-to-machine pipeline with no end-user identity uses Instance API keys; anything acting on behalf of a human user — whether an MCP client or a custom integration — uses OAuth 2.1; a first-party browser app reuses the cookie set after login. ## Where to next * [Instance API keys](/knowledge-ai/authentication/api-keys.md) — static credentials for ingestion pipelines on `https://api.kai-studio.ai`. One key, one instance, no user identity. * [OAuth 2.1](/knowledge-ai/authentication/oauth.md) — full Authorization Code + PKCE flow with Dynamic Client Registration. Includes Microsoft SSO behaviour and the end-to-end sequence diagram. * [Cookies](/knowledge-ai/authentication/cookies.md) — `kai_auth` HttpOnly cookie semantics: properties, sliding refresh, logout, cross-subdomain SSO. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://k-ai.gitbook.io/knowledge-ai/authentication/authentication.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.