Docs navigation
Authentication
API keys, the two auth modes, and the user-id rule for agents.
Every IP Bot surface — app, CLI, MCP server — authenticates the same way. The GraphQL endpoint is shared across all users; only your key is yours.
Prerequisite: a key (private beta)
IP Bot is in private beta. You need an ipbot_live_… key before any npx / MCP / skill step will work — request access, then copy your key from Settings → API Keys. Without a valid key, calls fail with UNAUTHENTICATED.
Two auth modes
- Human (interactive) —
ipbot auth loginruns a Cognito Authorization-Code + PKCE flow in your browser and caches a token. Best at a real keyboard. - Agent (API key) — set
IPBOT_API_KEY=ipbot_live_…and the key identifies you on every call. Best for CI, scripts, and MCP clients.
Check who you are and how you're authed at any time:
> npx @island-pitch/ip-bot-cli auth whoami --output jsonEnvironment variables
| Variable | What it's for |
|---|---|
| IPBOT_APPSYNC_ENDPOINT | The platform GraphQL endpoint. Same for everyone. |
| IPBOT_API_KEY | Your per-user key (ipbot_live_…). Authenticates you and debits your Winds. |
| IPBOT_USER_ID | Your Cognito sub. Default user for commands that act on a user (content, calendar, org). Get it from `ipbot auth whoami`. |
| IPBOT_AUTH_TOKEN | Optional Cognito ID token instead of an API key (interactive/human auth). |
> export IPBOT_APPSYNC_ENDPOINT=https://api.islandpitch.bot/graphql
> export IPBOT_API_KEY=ipbot_live_xxxxxxxxxxxxxxxxThe user-id rule (important for agents)
Powers and Winds are resolved from your key — they need no user id. Content, calendar, and org commands act on behalf of a user, so under API-key auth they need your Cognito sub. Provide it with --user-id <sub> (CLI) / the userId arg (MCP), or set IPBOT_USER_ID once. If neither is set, those commands error clearly rather than returning empty data.
> # one-time: make your sub the default for user-scoped commands
> export IPBOT_USER_ID=$(npx @island-pitch/ip-bot-cli auth whoami --output json | jq -r .userId)
> npx @island-pitch/ip-bot-cli content list --output jsonKey rotation & scopes
- Create, name, and revoke keys in Settings → API Keys. Revoking is immediate.
- A key inherits your license + Winds; it cannot exceed your own permissions.
- Rotate by issuing a new key, updating
IPBOT_API_KEY, then revoking the old one. - Treat keys like passwords — never commit them or paste them into shared logs.
Hitting auth errors? See Troubleshooting.