Authentication - Signa Docs

The Signa MCP server supports two authentication methods: API keys and OAuth 2.1. Use whichever fits your setup.

Overview

	API Key	OAuth 2.1
Header	`Bearer sig_live_*`	`Bearer <jwt_token>`
Setup	Paste key into MCP client config	Browser login + consent (automatic)
Best for	Scripts, CI/CD, quick setup	Interactive AI agents (Claude, ChatGPT)
Rate limit	Per org, by tier	Per org, MCP tier (100 req/min)

Using an API key

If you already have a Signa API key, you can use it directly with MCP. No OAuth flow needed. For Claude Code with an API key header:

claude mcp add signa https://api.signa.so/mcp -t http -h "Authorization: Bearer sig_live_YOUR_KEY"

For Claude Desktop with a static header:

{
  "mcpServers": {
    "signa": {
      "url": "https://api.signa.so/mcp",
      "type": "streamableHttp",
      "headers": {
        "Authorization": "Bearer sig_live_YOUR_KEY"
      }
    }
  }
}

Using OAuth

MCP clients that support OAuth will handle the login flow automatically. When you first connect, a browser window opens for you to sign in at app.signa.so and approve access. After that, the token refreshes silently.

Discovery

MCP clients discover the authorization server automatically via a standard endpoint:

curl https://api.signa.so/.well-known/oauth-protected-resource

{
  "resource": "https://api.signa.so",
  "authorization_servers": ["https://app.signa.so/api/auth"],
  "bearer_methods_supported": ["header"],
  "scopes_supported": ["read", "search", "portfolio", "offline_access"]
}

This follows RFC 9728 (OAuth 2.0 Protected Resource Metadata).

Scopes

Scope	Grants access to
`read`	Search, view trademarks, owners, attorneys, firms, proceedings
`search`	Execute full-text and phonetic trademark searches
`portfolio`	Manage portfolios, saved searches, and watches
`offline_access`	Refresh token for long-lived sessions

Most MCP clients request read and search by default, which covers all read-only tools.

Token format

Access tokens are JWTs signed by the Signa auth server. They contain:

Claim	Description
`sub`	Your user ID
`org_id`	Your organization ID (custom claim)
`scope`	Granted scopes (space-separated)
`aud`	`https://api.signa.so`
`iss`	`https://app.signa.so/api/auth`
`exp`	Token expiration timestamp

The Signa API validates tokens using the JWKS endpoint at https://app.signa.so/api/auth/jwks. On first connection, you will see a consent screen listing the permissions the MCP client is requesting. You can approve or deny access. Approved consents are remembered so you are not prompted again on reconnection. You can revoke consent at any time from your account settings at app.signa.so.

Rate limits

MCP requests share a dedicated rate limit tier:

Tier	Limit	Window
MCP	100 requests	60 seconds

Rate limit headers are returned on every response:

RateLimit-Policy: 100;w=60
RateLimit: remaining=87, reset=42

If you hit the limit, the response includes a Retry-After header.

Troubleshooting

401: Missing Authorization header

Your MCP client is not sending the access token. Re-authenticate by removing and re-adding the MCP connection.

401: Access token missing org_id claim

Your Signa account has not completed onboarding. Log in at app.signa.so and create an organization first.

401: Invalid or expired access token

Your token has expired. Most MCP clients handle refresh automatically. If the error persists, remove and re-add the connection to re-authenticate.

429: Rate limited

You are sending more than 100 MCP requests per minute. Wait for the Retry-After period or reduce request frequency.

MCP Server

​Overview

​Using an API key

​Using OAuth

​Discovery

​Scopes

​Token format

​Consent

​Rate limits

​Troubleshooting