# API Authentication

All API and MCP access is authenticated. Foundation supports multiple authentication methods.

## OAuth 2.0

Your Foundation app is a full OAuth 2.0 provider. Clients can authenticate using standard OAuth flows.

## API Keys

Users and services can generate API keys for programmatic access. Keys are scoped to the permissions of the user who created them.

## Bearer Tokens

For service-to-service communication, use bearer tokens with specific scopes.

## Scoped Access

All authentication methods respect the roles and scopes you've configured. A token only grants access to what its associated role allows.
