Authentication
Web app MCP (honest matrix)
| Principal | How resolved | Status |
|---|---|---|
| Public | No Authorization header (or empty Bearer) | Shipped — community + travel tools (Grok default) |
| Admin | Authorization: Bearer <ADMIN_API_TOKEN> (constant-time compare) | Shipped — full web tool list including bot-proxy admin tools |
| Member | Personal token / Discord OAuth → Discord-bound principal | Seam only — resolveMemberPrincipal always returns null today → 401 (never falls back to public) |
Production fact
- Omit Authorization for public community + travel tools (
tools/listand publictools/callwork without a token). - Pass admin bearer only when you need admin/ops tools.
- A non-empty invalid Bearer is 401, not public — wrong tokens do not silently open the public catalog.
Visibility (shipped)
| Tool | Flag | Access |
|---|---|---|
community_overview | public | public / member / admin |
builder_path | public | public / member / admin |
leaderboard | public | public / member / admin |
member_stats | public | public / member / admin (member self-scopes when wired) |
upcoming_events | public | public / member / admin |
open_quests_and_bounties | public | public / member / admin |
hangout_info | public | public / member / admin |
search_stay_packages | public | public / member / admin |
hangout_status | admin | admin only |
list_scheduled_events | admin | admin only |
| Other bot-proxy ops tools | admin | admin only |
Bot-service admin MCP
| Rule | Detail |
|---|---|
| Auth | Always ADMIN_API_TOKEN via requireAdminRequest |
| Public access | None |
| Tools | Full admin catalog — see Admin tools |
Secrets hygiene
- Never put
ADMIN_API_TOKEN, Supabase service role keys, or bot tokens in client bundles or this docs site. - Configure bearer headers in the MCP client's secret slot.
- Rotating the admin token invalidates all admin MCP clients immediately.
Error shapes
| HTTP | Meaning |
|---|---|
| 401 | Invalid non-empty Authorization (wrong token / member seam null) — body includes onboarding URL https://houseofvibes.app |
| 405 | GET or non-POST |
| 500 | Unexpected server error |
JSON-RPC error | Protocol errors inside a 200 JSON-RPC envelope |
