Intercal

Authentication

Intercal is a public read substrate. Authentication raises limits and unlocks scoped surfaces; it is not required for ordinary read queries today.

REST

Anonymous reads are allowed for /api/v1/* under a tight per-IP rate limit. A valid bearer API key raises the rate limit and unlocks scoped operations such as subscription management.

Authorization: Bearer ical_sk_...

Bad credentials return 401; they do not fall back to anonymous mode.

API keys are generated by the operator CLI, stored as SHA-256 hashes, and shown only once at issuance. Rotation means issuing a new key, handing it off, then revoking the old key id.

MCP

MCP uses OAuth 2.1 resource-server validation when an Authorization Server is configured by environment. The resource server validates bearer JWT access tokens against issuer, audience, expiry, signature, algorithm allowlist, and required scopes.

When MCP_OAUTH_ISSUER is unset, MCP keeps the public-read posture and does not advertise Protected Resource Metadata.

Subscriptions

Subscription create, list, poll, dispatch, and delete require an API key. Keys are passed to the SDK/REST call and must not be persisted in browser state or echoed in public output.