Authentication Overview
BlokMCP uses API key-based authentication with multi-tenant isolation and secure token management.
Authentication Flow
- Request Validation
- Client includes API key in request header
- Server validates key format and authenticity
- Organization Context
- Loads organization details and subscription tier
- Checks rate limits and usage quotas
- Validates account status
- Token Resolution
- Retrieves encrypted Storyblok credentials
- Decrypts tokens for the request
- Determines which Storyblok space to use
- Request Authorization
- Verifies permissions for requested operation
- Tracks usage for billing
- Logs request for audit trail
Security Features
- Secure Key Storage: API keys are hashed using industry-standard algorithms
- Token Encryption: Storyblok tokens encrypted at rest
- Multi-Tenant Isolation: Database-level security ensures data separation
- Rate Limiting: Per-organization limits based on subscription tier
- Audit Logging: All requests logged for security and compliance
Space Selection
When multiple Storyblok spaces are connected:
- Use
X-Storyblok-Space-Idheader to specify space - Falls back to default space if set
- Single-space organizations auto-select
Error Responses
Authentication errors return appropriate HTTP status codes with descriptive messages:
- Invalid API key
- Rate limit exceeded
- Subscription expired
- Insufficient permissions