Auth Methods
Roster has different authentication methods for each surface.
Method Matrix
Section titled “Method Matrix”| Surface | Preferred method | Notes |
|---|---|---|
| Platform web UI | Roster Auth browser session | Human login through form auth or configured identity providers. |
| REST API | API-key bearer token | Implemented for automation, SDKs, and external integrations. |
| MCP server | API key or Roster OAuth token | Controlled by |
| CLI | MCP OAuth for humans, API keys for automation | CLI is MCP-first. |
| Provider connectors | Provider-specific outbound credentials | Stored through connector configuration and provider secrets. |
API Keys
Section titled “API Keys”API keys use the rst_ prefix and are owned by Roster identities.
Admins create, inspect, and revoke API keys from
Platform API Keys.
curl "https://roster.example.com/api/v1/projects?limit=10" \ -H "Authorization: Bearer ${ROSTER_API_KEY}"const response = await fetch("https://roster.example.com/api/v1/projects?limit=10", { headers: { Authorization: `Bearer ${process.env.ROSTER_API_KEY}`, },});
if (!response.ok) { throw new Error(`Roster API request failed: ${response.status}`);}import osimport requests
response = requests.get( "https://roster.example.com/api/v1/projects?limit=10", headers={"Authorization": f"Bearer {os.environ['ROSTER_API_KEY']}"}, timeout=10,)response.raise_for_status()API keys can carry REST scopes, MCP scopes, or both. Write scopes automatically
include their matching read scope when created through the platform presets.
Scopes limit what the key can try to do; they do not elevate the owner. Runtime
access is key scopes ∩ owner rights ∩ resource rules, and all expands only
the scope dimension.
REST Auth
Section titled “REST Auth”Implemented REST endpoints require API-key bearer auth. REST scopes use the
api: prefix, for example:
api:projects:readapi:participants:writeapi:resolveapi:resolve-requests:readREST API authentication mode is configured by the deployed Roster runtime.
MCP Auth
Section titled “MCP Auth”MCP auth is configured with ROSTER_MCP_AUTH_MODE:
noneapi_keyoauthapi_key,oauthProduction rejects unset or none auth mode. Individual MCP tools enforce
mcp:* scopes such as mcp:resolve and mcp:participants:read.
OAuth consent offers MCP write and label scopes only to admins and effective
project owners; ordinary members can approve Resolve and non-label read scopes.
Provider Credentials
Section titled “Provider Credentials”Directory connector credentials are outbound provider credentials. They are not login identity providers and they do not authenticate REST or MCP clients.
Encrypted provider secrets use:
ROSTER_PROVIDER_SECRET_ENCRYPTION_KEY=<high-entropy-secret>ROSTER_PROVIDER_SECRET_KEY_ID=env:prod-2026-05