> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloudshipai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Configure AI providers and CloudShip authentication

# Authentication

Station supports multiple authentication methods for AI providers and CloudShip platform integration.

## AI Provider Authentication

<Warning>
  **Anthropic OAuth Unavailable**: Anthropic has restricted third-party use of OAuth tokens. Claude Max/Pro subscription authentication (`stn auth anthropic login`) is **not working until further notice**. Please use API key authentication instead.
</Warning>

### API Keys (Recommended)

Set your API key as an environment variable:

```bash theme={null}
# OpenAI
export OPENAI_API_KEY="sk-..."

# Google Gemini
export GEMINI_API_KEY="..."

# Anthropic (pay-per-token billing)
export ANTHROPIC_API_KEY="sk-ant-api03-..."
```

### Authentication Priority

Station checks for credentials in this order:

| Priority | Method                      | Description                                                   |
| -------- | --------------------------- | ------------------------------------------------------------- |
| 1        | `STN_AI_AUTH_TYPE=api_key`  | Force API key mode (override)                                 |
| ~~2~~    | ~~Station OAuth tokens~~    | ~~`stn auth anthropic login`~~ **DEPRECATED**                 |
| ~~3~~    | ~~Claude Code credentials~~ | ~~`~/.claude/.credentials.json`~~ **DEPRECATED**              |
| 4        | Environment variable        | `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, etc. (**Recommended**) |

### Deployments

For all Station instances (local, Docker, K8s, Fly.io), use API keys:

```bash theme={null}
docker run \
  -e OPENAI_API_KEY=$OPENAI_API_KEY \
  -e STN_AI_PROVIDER=openai \
  ghcr.io/cloudshipai/station:latest
```

***

## CloudShip Authentication

Connect your Station to [CloudShip](https://cloudshipai.com) for centralized management, team collaboration, and OAuth-protected MCP access.

### Login with API Key

```bash theme={null}
stn auth login
```

```
Using config file: /home/user/.config/station/config.yaml
🔭 OTEL telemetry enabled - provider=jaeger, endpoint=http://localhost:4318
Enter your CloudShip API key: ▌
```

Get your API key from your [CloudShip dashboard](https://app.cloudshipai.com/settings/api-keys).

### Using Registration Key

For automated deployments, use a registration key in your config:

```yaml theme={null}
# config.yaml
cloudship:
  enabled: true
  registration_key: "sk-reg-..."
  name: "my-station"
  tags: ["production", "us-east-1"]
```

```bash theme={null}
stn serve
# Output: Successfully registered with CloudShip management channel
```

### Check Connection Status

```bash theme={null}
stn auth status
```

```
CloudShip Connection:
  ✅ Connected to CloudShip
  Organization: My Company
  Station: production-us-east
  Last sync: 2 minutes ago

AI Provider:
  ✅ Authenticated with OpenAI (API Key)
  Model: gpt-5-mini
```

### Logout

```bash theme={null}
# Logout from CloudShip
stn auth logout
```

***

## OAuth for MCP Access

When CloudShip OAuth is enabled, MCP clients authenticate through CloudShip before accessing your Station's agents.

### Who Can Access?

Only users who:

1. Have a **CloudShip account**
2. Are **members of your organization**
3. Successfully **authenticate via OAuth**

### Enable OAuth

```yaml theme={null}
# config.yaml
cloudship:
  enabled: true
  registration_key: "your-key"
  name: "my-station"
  oauth:
    enabled: true
    client_id: "your-oauth-client-id"  # From CloudShip OAuth Apps
```

### How It Works

```
MCP Client                    Station                      CloudShip
    |                           |                             |
    |------ POST /mcp --------->|                             |
    |<----- 401 Unauthorized ---|                             |
    |                           |                             |
    |------- [Browser Login] -------------------------------->|
    |<------ [Access Token] ----------------------------------|
    |                           |                             |
    |------ POST /mcp --------->|                             |
    |  Authorization: Bearer    |------ Validate Token ------>|
    |                           |<------ {active: true} ------|
    |<----- MCP Response -------|                             |
```

### MCP Client Configuration

Point your MCP client to port 8587 (Dynamic Agent MCP):

```json theme={null}
{
  "mcpServers": {
    "my-station": {
      "url": "https://my-station.example.com:8587/mcp"
    }
  }
}
```

When connecting, the client will:

1. Receive a 401 with OAuth discovery URL
2. Open CloudShip login in your browser
3. After authentication, automatically retry with the access token

***

## Security Notes

* **Registration keys** should be kept secret - they authorize Station connections
* **OAuth tokens** are validated on every MCP request via CloudShip introspection
* **PKCE** is required for all OAuth flows (S256 code challenge)
* Station caches validated tokens for 5 minutes to reduce introspection calls

## Next Steps

* [Quick Start](/station/quickstart) - Get Station running
* [CloudShip Integration](/station/cloudship) - Full CloudShip setup guide
* [MCP Tools](/station/mcp/tools) - Available MCP tools
