Skip to content

Authenticate to Vexly from Scripts, CLI, and MCP Clients

Use Vexly-issued tokens for external clients. Do not use raw Firebase ID tokens directly from scripts or MCP clients.

  • Python, Node, curl, Bash, CI jobs: Personal access token
  • CLI, Claude Desktop, Cursor, VS Code, OpenClaw: Device flow or a PAT
  • Remote MCP clients with OAuth support: OAuth bearer token

Personal Access Tokens

Personal access tokens are the fastest path for scripts and initial testing.

Create a PAT

  1. Sign in to the Vexly dashboard.
  2. Open the access tokens page.
  3. Create a new token.
  4. Copy it immediately.

Set it in your shell:

export VEXLY_ACCESS_TOKEN='your_token_here'
export VEXLY_BASE_URL='https://api.vexly.io/api/v1/public'

Device Flow

Device flow is the best fit when the client runs in a terminal or on a machine where browser auth is awkward.

The basic flow is:

  1. Start device auth against Vexly.
  2. Open the verification URL on your laptop or phone.
  3. Sign in to Vexly in the browser.
  4. Approve the pending device request.
  5. Store the issued Vexly access token locally.

The sample CLI in the public repo can start this flow for you.

OAuth Browser Flow

Use OAuth when the MCP client or desktop tool can handle browser auth cleanly.

This flow still uses the Vexly web login experience in the browser, but the client receives a Vexly-issued access token after approval.

What the Token Can Do

Current public scopes include:

  • agent:run
  • agent:read
  • mcp:use

Security Notes

  • Store PATs and access tokens in a secure secret store or your shell profile, not in source control.
  • Revoke any token that was pasted into chat, screenshots, or shared logs.
  • Prefer short-lived OAuth tokens for shared or multi-user environments.