Stackie

Alpha Preview

MCP Authentication

Handles bearer token authentication for all MCP server requests. Tokens follow the format sk-stackie-<64 hex chars> and are stored as SHA-256 hashes in the database.

Token Lifecycle

  1. Enrollment: When an agent is enrolled via stackie mcp enroll, a new token is generated and written to the agent’s config file.
  2. Storage: Only the SHA-256 hash of the token is stored in the SQLite database — the raw token is never persisted server-side.
  3. Validation: On each request, the Authorization: Bearer sk-stackie-... header is hashed and looked up in the in-memory cache. Cache misses fall back to the database.
  4. Revocation: Tokens can be revoked via the MCP settings API, which removes the hash from the database and invalidates the cache entry.

Key Concepts

  • Raw tokens are never stored — only their SHA-256 hashes are persisted
  • Tokens are written once to the agent’s config file at enrollment time
  • An in-memory cache maps token hashes to token IDs for fast validation
  • CORS preflight (OPTIONS) requests bypass auth to support browser clients
  • Anonymous sessions (no valid token) are still recorded with token_id = NULL