Authentication
All Aigon integrations — REST API, CLI, and MCP — require authentication. There are two types of token:
| Type | Lifetime | Used by |
|---|---|---|
| API token | Permanent — never expires, no refresh | CLI, REST API |
| OAuth access token | Short-lived (~1 hour), auto-refreshed | MCP Server |
API tokens are obtained from the Telegram Auth Bot or the AigonOne web app. OAuth tokens are issued automatically during the browser consent flow.
Telegram Auth Bot
The simplest way to get an API token. No prior account needed — your Telegram identity is your credential.
- Open t.me/aigon_auth_bot
- Send
/get - Copy the token
Commands:
| Command | What it does |
|---|---|
/get |
Returns your current token (creates one if you don't have one) |
/revoke |
Invalidates the current token and issues a new one |
AigonOne Web App
If you're already signed in to a1.aigon.ai, you can get your token from the web interface:
- Click your profile icon (top right)
- Select API Token
- Copy the displayed token
From this screen you can also regenerate or delete your token.
OAuth
The REST API (api.aigon.ai) implements a full OAuth 2.1 authorization server. The AigonOne web app (a1.aigon.ai) acts as the browser-facing rendering proxy — it handles login and consent UI, but all OAuth logic and state lives in the REST API.
This is used by the MCP Server. When an MCP client first connects, it opens a browser window for login and consent — no manual token handling required. Every MCP consumer (Claude Code, Claude Desktop, or any other MCP-compatible client) runs the same flow.
How it works
- The MCP client discovers the OAuth metadata from
a1.aigon.ai - It registers dynamically with
api.aigon.ai/oauth/register - A browser window opens at
a1.aigon.ai/oauth/authorizefor login + consent - A1 proxies the authorization to
api.aigon.ai, which issues the code - The client exchanges the code for tokens at
api.aigon.ai/oauth/token
Endpoints
| Endpoint | Host | Purpose |
|---|---|---|
/.well-known/oauth-authorization-server |
a1.aigon.ai | Metadata discovery |
/oauth/authorize |
a1.aigon.ai | Browser login + consent |
/oauth/register |
api.aigon.ai | Dynamic client registration |
/oauth/token |
api.aigon.ai | Token exchange |
/oauth/revoke |
api.aigon.ai | Token revocation |
Standards
- OAuth 2.1 with Authorization Code + PKCE (RFC 7636)
- Dynamic client registration (RFC 7591)
- Authorization server metadata (RFC 8414)
- Access tokens are short-lived (~1 hour), refresh tokens ~30 days
Using Your Token
Once you have a token, use it as a Bearer token in the Authorization header:
Authorization: Bearer YOUR_TOKEN
CLI
aigon config set api.token YOUR_TOKEN
REST API
curl -H "Authorization: Bearer YOUR_TOKEN" \
https://api.aigon.ai/health
MCP Server
OAuth handles this automatically — no manual token configuration needed.