Bearer token in the
Authorization header. There are four supported token types, evaluated in
this priority order:
| Priority | Token format | Who uses it | How to obtain |
|---|---|---|---|
| 1 | Opaque Olira API key (YOUR_API_KEY) | Backend services, Cursor, CI pipelines | Console → Settings → API Keys, or olira keys create |
| 2 | Olira-issued RS256 JWT (iss: "olira-api-keys") | SDK / automated clients | POST /auth/token: exchange your API key for a short-lived JWT |
| 3 | Patient Token (RS256, user_type: "patient") | Patient-facing apps and agents | client.get_patient_token(patient_id) via the Python SDK |
| 4 | Auth0 JWT (interactive console session) | Provider agents with a console login | Auth0 Authorization Code + PKCE via olira login |
Required scope
All API keys used with the MCP must carry themcp:patient-state scope.
Keys without this scope receive 403 Forbidden. Create a key with the correct
scope in the Console or with the CLI:
Patient Tokens
Patient Tokens are short-lived (15 min) JWTs locked to a single patient. Use them when running an agent on a patient-facing device; thepatient_id is
embedded in the token and cannot be overridden by the caller.
Mint server-side using the Python SDK (pip install olira).
The API key used here must carry the sdk:patient-token scope; create one with
olira keys create --name "token-minter" --scopes sdk:patient-token.
patient_id from all tool arguments; it is
resolved automatically from the token.
Authentication errors
| Status | Meaning |
|---|---|
401 | Missing, expired, or malformed token |
403 | Valid token but missing mcp:patient-state scope, or patient not in your organization |

