> ## Documentation Index
> Fetch the complete documentation index at: https://www.pickfu.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate the PickFu CLI, MCP server, and API

> Authenticate the PickFu CLI and MCP server using OAuth 2.0 or API keys, including setup for headless environments, CI pipelines, and automation.

Both the CLI and MCP server use OAuth 2.0 to authenticate with your PickFu account. The CLI also supports API key authentication for non-interactive environments.

## How it works

When you use the CLI or MCP server for the first time, you'll be redirected to your PickFu account to authorize the app. Once you approve, the tool handles tokens automatically.

## CLI

### OAuth (recommended)

Run the login command to authenticate:

```bash theme={null}
pickfu auth login
```

This opens a browser window where you sign in to your PickFu account and authorize the CLI. Once approved, your credentials are stored locally and refreshed automatically.

For headless environments (servers, CI), use `--headless` to print the URL instead of opening a browser:

```bash theme={null}
pickfu auth login --headless
```

### API key

For CI pipelines, scripts, and automation, you can authenticate with an API key instead of OAuth:

```bash theme={null}
# Via environment variable
export PICKFU_API_KEY=your_api_key
pickfu survey list

# Via flag (takes highest precedence)
pickfu survey list --token your_api_key
```

**Token precedence:** `--token` flag > `PICKFU_API_KEY` environment variable > stored OAuth token.

### Check status

```bash theme={null}
pickfu auth status          # Verify authentication against the API
pickfu auth status --local  # Check locally without API call
pickfu auth logout          # Clear stored credentials
```

## MCP server

### OAuth (automatic)

The MCP server authenticates through your MCP client. When you first connect, your client prompts you to sign in to your PickFu account via OAuth. For example, Cursor prompts for WorkOS login automatically — no manual token setup required.

### API key

For automation, CI/CD pipelines, and long-running agents, you can authenticate the MCP server with an API key instead of OAuth. Pass the key as a Bearer token in the `Authorization` header of your MCP client configuration.

Create an API key at [Settings > API Keys](https://app.pickfu.com/settings/api-keys), then add it to your client config:

<CodeGroup>
  ```bash Claude Code theme={null}
  claude mcp add pickfu --transport http https://mcp.pickfu.com/mcp \
    --header "Authorization: Bearer sk_your_api_key"
  ```

  ```json Cursor (.cursor/mcp.json) theme={null}
  {
    "mcpServers": {
      "pickfu": {
        "url": "https://mcp.pickfu.com/mcp",
        "transport": "streamable-http",
        "headers": {
          "Authorization": "Bearer sk_your_api_key"
        }
      }
    }
  }
  ```
</CodeGroup>

See the [MCP server](/integrations/mcp-server) guide for client-specific setup instructions.

## Token management

Both tools handle token storage and refresh automatically. You don't need to manage tokens manually.

* **CLI** — Tokens are stored in `~/.config/pickfu/config.json` and refreshed when they expire. Run `pickfu auth login` again if you need to re-authenticate.
* **MCP server** — Your MCP client manages the OAuth session. Re-authorize through your client if needed.

## Need help?

Having trouble authenticating? Contact [support@pickfu.com](mailto:support@pickfu.com) for assistance.