Authentication
How FLORA MCP authenticates with your FLORA account over OAuth.
FLORA MCP uses OAuth 2.1 with PKCE. Your client opens a browser, you sign in to FLORA, and the client stores a token scoped to your workspace. You never paste an API key into the client.
OAuth flow
Section titled “OAuth flow”- First tool call triggers the flow
When your agent first calls a FLORA tool, the client opens a browser to FLORA’s authorization page.
- Sign in and approve
Sign in with your FLORA account. Approve access for the requested scopes. If you belong to multiple workspaces, pick which one to connect.
- Token stored in your client
Your client stores the access and refresh tokens locally. Subsequent tool calls happen silently. You won’t be prompted again until the refresh token expires.
What FLORA MCP can access
Section titled “What FLORA MCP can access”FLORA MCP receives the same permissions your FLORA user has in the connected workspace. If your account can list Techniques, run them, and upload assets in the FLORA app, the MCP can too. If it can’t, the MCP can’t either.
| Capability | Granted by default |
|---|---|
| List and read Techniques, Projects, Workspaces, Assets, Models | Yes |
| Create runs (uses workspace credits) | Yes |
| Upload assets | Yes |
| Create or modify Projects | If your role allows it in FLORA |
| Manage billing or workspace members | No |
Permission-restricted operations return the same 403 forbidden error as the REST API. See Errors.
API keys vs OAuth — when to use which
Section titled “API keys vs OAuth — when to use which”| API key | OAuth (MCP) | |
|---|---|---|
| Where it lives | Server env var, secrets manager | Inside your local MCP client |
| Identity | One service account per key | A specific human user |
| Audit trail | ”API key sk_live_xxx did this" | "Alice in Cursor did this” |
| Revocation | Per key, by anyone with workspace admin | Per client, by the user |
| Best for | Backend jobs, CI, automation | Interactive use in any MCP-compatible agent |
You can run both at once. A pipeline that uses the REST API server-side and a designer in Cursor using FLORA MCP will both show up in the same workspace billing and Project views.
Security notes
Section titled “Security notes”- Tokens are stored by the MCP client, not by FLORA. Treat the client’s config directory the same way you’d treat an SSH key.
- If a laptop is lost or shared, revoke the relevant client connection in FLORA immediately.
- FLORA MCP only ever runs in your client’s local process. There is no third-party relay of your tokens.