Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cloudshipai.com/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

Station supports multiple authentication methods for AI providers and CloudShip platform integration.

AI Provider Authentication

Anthropic OAuth Unavailable: Anthropic has restricted third-party use of OAuth tokens. Claude Max/Pro subscription authentication (stn auth anthropic login) is not working until further notice. Please use API key authentication instead.
Set your API key as an environment variable: 
# OpenAI
export OPENAI_API_KEY="sk-..."

# Google Gemini
export GEMINI_API_KEY="..."

# Anthropic (pay-per-token billing)
export ANTHROPIC_API_KEY="sk-ant-api03-..."

Authentication Priority

Station checks for credentials in this order:
PriorityMethodDescription
1STN_AI_AUTH_TYPE=api_keyForce API key mode (override)
2Station OAuth tokensstn auth anthropic login DEPRECATED
3Claude Code credentials~/.claude/.credentials.json DEPRECATED
4Environment variableANTHROPIC_API_KEY, OPENAI_API_KEY, etc. (Recommended)

Deployments

For all Station instances (local, Docker, K8s, Fly.io), use API keys: 
docker run \
  -e OPENAI_API_KEY=$OPENAI_API_KEY \
  -e STN_AI_PROVIDER=openai \
  ghcr.io/cloudshipai/station:latest

CloudShip Authentication

Connect your Station to CloudShip for centralized management, team collaboration, and OAuth-protected MCP access.

Login with API Key

stn auth login

Using config file: /home/user/.config/station/config.yaml
🔭 OTEL telemetry enabled - provider=jaeger, endpoint=http://localhost:4318
Enter your CloudShip API key: ▌
Get your API key from your CloudShip dashboard.

Using Registration Key

For automated deployments, use a registration key in your config: 
# config.yaml
cloudship:
  enabled: true
  registration_key: "sk-reg-..."
  name: "my-station"
  tags: ["production", "us-east-1"]

stn serve
# Output: Successfully registered with CloudShip management channel

Check Connection Status

stn auth status

CloudShip Connection:
  ✅ Connected to CloudShip
  Organization: My Company
  Station: production-us-east
  Last sync: 2 minutes ago

AI Provider:
  ✅ Authenticated with OpenAI (API Key)
  Model: gpt-5-mini

Logout

# Logout from CloudShip
stn auth logout

OAuth for MCP Access

When CloudShip OAuth is enabled, MCP clients authenticate through CloudShip before accessing your Station’s agents.

Who Can Access?

Only users who:
  1. Have a CloudShip account
  2. Are members of your organization
  3. Successfully authenticate via OAuth

Enable OAuth

# config.yaml
cloudship:
  enabled: true
  registration_key: "your-key"
  name: "my-station"
  oauth:
    enabled: true
    client_id: "your-oauth-client-id"  # From CloudShip OAuth Apps

How It Works

MCP Client                    Station                      CloudShip
    |                           |                             |
    |------ POST /mcp --------->|                             |
    |<----- 401 Unauthorized ---|                             |
    |                           |                             |
    |------- [Browser Login] -------------------------------->|
    |<------ [Access Token] ----------------------------------|
    |                           |                             |
    |------ POST /mcp --------->|                             |
    |  Authorization: Bearer    |------ Validate Token ------>|
    |                           |<------ {active: true} ------|
    |<----- MCP Response -------|                             |

MCP Client Configuration

Point your MCP client to port 8587 (Dynamic Agent MCP): 
{
  "mcpServers": {
    "my-station": {
      "url": "https://my-station.example.com:8587/mcp"
    }
  }
}
When connecting, the client will:
  1. Receive a 401 with OAuth discovery URL
  2. Open CloudShip login in your browser
  3. After authentication, automatically retry with the access token

Security Notes

  • Registration keys should be kept secret - they authorize Station connections
  • OAuth tokens are validated on every MCP request via CloudShip introspection
  • PKCE is required for all OAuth flows (S256 code challenge)
  • Station caches validated tokens for 5 minutes to reduce introspection calls

Next Steps