Authentication
Station supports multiple authentication methods for AI providers and CloudShip platform integration.
AI Provider Authentication
Anthropic OAuth Unavailable: Anthropic has restricted third-party use of OAuth tokens. Claude Max/Pro subscription authentication (stn auth anthropic login) is not working until further notice. Please use API key authentication instead.
API Keys (Recommended)
Set your API key as an environment variable:
# OpenAI
export OPENAI_API_KEY="sk-..."
# Google Gemini
export GEMINI_API_KEY="..."
# Anthropic (pay-per-token billing)
export ANTHROPIC_API_KEY="sk-ant-api03-..."
Authentication Priority
Station checks for credentials in this order:
| Priority | Method | Description |
|---|
| 1 | STN_AI_AUTH_TYPE=api_key | Force API key mode (override) |
2 | Station OAuth tokens | stn auth anthropic login |
3 | Claude Code credentials | ~/.claude/.credentials.json |
| 4 | Environment variable | ANTHROPIC_API_KEY, OPENAI_API_KEY, etc. (Recommended) |
Deployments
For all Station instances (local, Docker, K8s, Fly.io), use API keys:
docker run \
-e OPENAI_API_KEY=$OPENAI_API_KEY \
-e STN_AI_PROVIDER=openai \
ghcr.io/cloudshipai/station:latest
CloudShip Authentication
Connect your Station to CloudShip for centralized management, team collaboration, and OAuth-protected MCP access.
Login with API Key
Using config file: /home/user/.config/station/config.yaml
🔭 OTEL telemetry enabled - provider=jaeger, endpoint=http://localhost:4318
Enter your CloudShip API key: ▌
Using Registration Key
For automated deployments, use a registration key in your config:
# config.yaml
cloudship:
enabled: true
registration_key: "sk-reg-..."
name: "my-station"
tags: ["production", "us-east-1"]
stn serve
# Output: Successfully registered with CloudShip management channel
Check Connection Status
CloudShip Connection:
✅ Connected to CloudShip
Organization: My Company
Station: production-us-east
Last sync: 2 minutes ago
AI Provider:
✅ Authenticated with OpenAI (API Key)
Model: gpt-5-mini
Logout
# Logout from CloudShip
stn auth logout
OAuth for MCP Access
When CloudShip OAuth is enabled, MCP clients authenticate through CloudShip before accessing your Station’s agents.
Who Can Access?
Only users who:
- Have a CloudShip account
- Are members of your organization
- Successfully authenticate via OAuth
Enable OAuth
# config.yaml
cloudship:
enabled: true
registration_key: "your-key"
name: "my-station"
oauth:
enabled: true
client_id: "your-oauth-client-id" # From CloudShip OAuth Apps
How It Works
MCP Client Station CloudShip
| | |
|------ POST /mcp --------->| |
|<----- 401 Unauthorized ---| |
| | |
|------- [Browser Login] -------------------------------->|
|<------ [Access Token] ----------------------------------|
| | |
|------ POST /mcp --------->| |
| Authorization: Bearer |------ Validate Token ------>|
| |<------ {active: true} ------|
|<----- MCP Response -------| |
MCP Client Configuration
Point your MCP client to port 8587 (Dynamic Agent MCP):
{
"mcpServers": {
"my-station": {
"url": "https://my-station.example.com:8587/mcp"
}
}
}
- Receive a 401 with OAuth discovery URL
- Open CloudShip login in your browser
- After authentication, automatically retry with the access token
Security Notes
- Registration keys should be kept secret - they authorize Station connections
- OAuth tokens are validated on every MCP request via CloudShip introspection
- PKCE is required for all OAuth flows (S256 code challenge)
- Station caches validated tokens for 5 minutes to reduce introspection calls
Next Steps
