Skip to main content

Overview

The Trending Society API supports two authentication methods:
  1. JWT Bearer Token - For user-authenticated requests
  2. API Key - For server-to-server and agent requests

Bearer Token (JWT)

For user-facing applications, use Supabase Auth JWTs: 
curl -X GET https://api.trendingsociety.com/v1/content \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Obtaining a Token

const { data, error } = await supabase.auth.signInWithPassword({
  email: '[email protected]',
  password: 'password123'
});

const token = data.session.access_token;

Token Contents

JWTs contain: 
{
  "sub": "user-uuid",
  "email": "[email protected]",
  "role": "authenticated",
  "app_metadata": {
    "tenant_id": "tenant-uuid"
  },
  "exp": 1735689600
}

API Key

For server-to-server communication and AI agents: 
curl -X GET https://mcp.trendingsociety.com/tools/list \
  -H "X-API-Key: mcp_live_xxx"

Key Types

TypePrefixUse Case
Developmentmcp_dev_Local testing
Productionmcp_live_Production agents
Servicesrv_Internal services

Creating API Keys

1

Navigate to Dashboard

Go to Settings > API Keys in the dashboard
2

Create New Key

Click “Create API Key” and select the scope
3

Copy Key

Copy the key immediately - it won’t be shown again
4

Store Securely

Add to environment variables or secrets manager
API keys are stored hashed. If you lose a key, you must create a new one.

MCP Server Authentication

The MCP server at mcp.trendingsociety.com uses API key authentication:

Claude Desktop

{
  "mcpServers": {
    "trendingsociety": {
      "type": "sse",
      "url": "https://mcp.trendingsociety.com/sse",
      "headers": {
        "X-API-Key": "mcp_live_xxx"
      }
    }
  }
}

Cursor

{
  "mcp.servers": {
    "trendingsociety": {
      "url": "https://mcp.trendingsociety.com",
      "apiKey": "mcp_live_xxx"
    }
  }
}

Direct HTTP

# List available tools
curl -X GET https://mcp.trendingsociety.com/tools/list \
  -H "X-API-Key: mcp_dev_local"

# Execute a tool
curl -X POST https://mcp.trendingsociety.com/tools/execute \
  -H "X-API-Key: mcp_dev_local" \
  -H "Content-Type: application/json" \
  -d '{"tool": "list_issues", "params": {"team": "Engineering"}}'

Rate Limiting

EndpointLimitWindow
API (authenticated)1000 reqper minute
API (unauthenticated)60 reqper minute
MCP tools100 reqper minute
Rate limit headers: 
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1735689600

Error Responses

401 Unauthorized

{
  "error": "Unauthorized",
  "code": "AUTH_REQUIRED",
  "message": "Missing or invalid authentication token"
}

403 Forbidden

{
  "error": "Forbidden",
  "code": "INSUFFICIENT_PERMISSIONS",
  "message": "API key does not have access to this resource"
}

429 Rate Limited

{
  "error": "Too Many Requests",
  "code": "RATE_LIMITED",
  "message": "Rate limit exceeded. Retry after 60 seconds",
  "retryAfter": 60
}

Security Best Practices

API keys should only be used server-side. For client apps, use JWT tokens from user authentication.
Create new keys periodically and deprecate old ones. The dashboard shows last usage time to identify unused keys.
Never commit keys to version control. Use environment variables or a secrets manager.
# .env.local (never commit)
MCP_API_KEY=mcp_live_xxx
Create separate keys for different environments and use cases. Production keys should have minimal required permissions.

MCP Server

AI tool gateway documentation

Authentication

User authentication setup