For the complete documentation index, see llms.txt. This page is also available as Markdown.

Authentication

How to authenticate with every Taskade developer surface — Personal Access Tokens for scripts and MCP, OAuth 2.0 with PKCE for third-party apps.

Every Taskade developer surface — the REST API v1, the Action API v2, and the MCP servers — authenticates with a Bearer token. There are two kinds you can create.

Which credential should I use?

If you are…
Use
How

Writing a script, or using the SDK / CLI / inbound @taskade/mcp-server

Personal Access Token

Authorization: Bearer tskdp_…

Building a third-party app that acts on behalf of other users

OAuth 2.0 (Authorization Code + PKCE)

Redirect flow

Connecting Claude / Cursor to the hosted MCP at https://www.taskade.com/mcp

OAuth 2.0

Handled automatically by the MCP client


Personal Access Tokens

The simplest way to authenticate as yourself. Best for server-to-server scripts, the inbound MCP server, and getting started.

Create a token

  1. Click Create new token and give it a descriptive name.

  2. Copy the token immediately — it is shown only once.

A personal access token starts with the prefix tskdp_. You can hold up to 5 tokens per account, and your email must be verified to create one.

Use a token

Send it in the Authorization header on every request:

The inbound MCP server reads it from the TASKADE_API_KEY environment variable — see Workspace MCP.


OAuth 2.0

Use OAuth 2.0 when your application acts on behalf of other users (so each user signs in and grants access), or when connecting to the hosted MCP endpoint.

Endpoints

Purpose
URL

Authorization

https://www.taskade.com/oauth2/authorize

Token / Refresh

https://www.taskade.com/oauth2/token

Dynamic client registration

https://www.taskade.com/oauth2/register

Server metadata (RFC 8414)

https://www.taskade.com/.well-known/oauth-authorization-server

Register an application

Go to taskade.com/settings/apiOAuth 2.0 Apps and register your app to obtain a Client ID and Client Secret, and to set your redirect URI(s).

Authorization Code flow (with PKCE)

Taskade supports the Authorization Code grant with PKCE (S256) — the recommended flow for both confidential and public clients.

  1. Redirect the user to /oauth2/authorize with client_id, redirect_uri, response_type=code, a PKCE code_challenge (and code_challenge_method=S256), and any scope.

  2. Exchange the returned code at /oauth2/token (grant_type=authorization_code) along with your code_verifier. Confidential apps also send client_secret; public clients use PKCE only.

  3. You receive an access_token (valid for 1 hour) and a refresh_token.

Generating the PKCE pair (the step most implementations get wrong):

Send code_challenge (with code_challenge_method=S256) on the authorize request, then send the original code_verifier on the token exchange below.

Refresh an expired token

Access tokens expire after one hour. Exchange the stored refresh token for a new one:

Only authorization_code and refresh_token grants are supported. password, implicit, and client_credentials are rejected.

Scopes & the hosted MCP

The hosted MCP server at https://www.taskade.com/mcp requires an OAuth token carrying the mcp scope. MCP clients (Claude Desktop, Cursor, Claude Code) perform this OAuth handshake — including dynamic client registration — automatically when you add the server URL, so you normally don't implement it yourself.


Security Best Practices

  • Never expose tokens in client-side code. Personal tokens grant full account access.

  • Use OAuth, not personal tokens, for any app used by more than one person.

  • Store refresh tokens encrypted at rest — they're long-lived.

  • Rotate personal tokens periodically; you can keep up to 5 active.

  • Always use HTTPS.

Personal TokensAction API v2 Reference

Last updated

Was this helpful?