Skip to main content
MeshAgent supports multiple authentication flows depending on who is connecting: humans, apps, or automated services. The key distinction is whether a human is using MeshAgent’s own interfaces (MeshAgent Studio or Powerboards) or your own app. In most cases you will use API keys on the server side to mint participant tokens for clients or agents.

Access patterns

Human users (MeshAgent Studio or Powerboards)
  • Sign in directly in MeshAgent Studio or Powerboards.
  • MeshAgent issues participant tokens on the user’s behalf (no backend work required).
Human users (your own app)
  • Use your OAuth client to sign the user in.
  • Your backend issues participant tokens so the client can join rooms.
CLI users
  • Run meshagent setup (or meshagent auth login) to sign in via browser-based OAuth (see CLI Quickstart).
  • meshagent setup also prompts the user to activate a project and API key.
  • The CLI token only allows what your project role allows. Even if the login requests broad access, the server will not let you perform actions outside your role.
Backend services and CI
  • Use API keys to call the MeshAgent REST API.
  • Create and manage rooms, secrets, and tokens programmatically.
Agents and tools
  • Receive participant tokens at runtime to connect into rooms.
  • Tokens define room grants and API scopes.

OAuth clients

If you are building an app on top of MeshAgent, create an OAuth client in MeshAgent Studio. Use it to complete user sign-in, then issue participant tokens from your backend so the client can join rooms.

Participant tokens

Participant tokens are short-lived credentials that scope access to a room and its APIs. Use them to control:
  • Which room a client can join.
  • Which APIs or tools the client can call.
  • Whether the participant is a user, agent, or tool.
See the token guide for details: