> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sedata-ai.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate the OTLP exporter against Sedata Cloud or your own collector.

Auth is configured via the `exporterAuth` field on `TelemetryConfig`. The same
credential is forwarded to the safety-check API automatically.

## Bearer token (recommended)

The simplest mode — works with Sedata Cloud out of the box.

```ts theme={null}
import type { TelemetryConfig } from '@sedata-ai/mcp'

const config: TelemetryConfig = {
  serverName: 'my-server',
  serverVersion: '1.0.0',
  exporterEndpoint: 'https://otel.sedata-ai.tech/v1',
  exporterAuth: {
    type: 'bearer',
    token: process.env.SEDATA_TOKEN!,
  },
}
```

The exporter sends `Authorization: Bearer <token>` on every request.

## API key

Some collectors prefer a custom header. Use `apiKey` to send `x-api-key`:

```ts theme={null}
const config: TelemetryConfig = {
  serverName: 'my-server',
  serverVersion: '1.0.0',
  exporterEndpoint: 'https://collector.example.com/v1',
  exporterAuth: {
    type: 'apiKey',
    apiKey: process.env.OTEL_API_KEY!,
  },
}
```

This also enables `safetyCheck` to authenticate against
`api.sedata-ai.tech/security/safety-check`.

## Basic auth

`type: 'basic'` is accepted by `ConfigValidator` but the basic header is
currently a no-op in the exporter setup (it's commented out in
`telemetry.ts`). Until that ships, use `bearer` or `apiKey` and put basic-auth
behind a proxy if you must.

```ts theme={null}
// Validates, but the header is not yet emitted.
const config: TelemetryConfig = {
  // ...
  exporterAuth: {
    type: 'basic',
    username: 'collector',
    password: 'secret',
  },
}
```

<Note>
  Track [#auth-basic](https://github.com/sedata-ai/sedata-ai-packages) for
  status. Until it lands, use a sidecar (`nginx`, `envoy`, `caddy`) to
  inject the `Authorization: Basic ...` header.
</Note>

## No auth (private network)

Skip `exporterAuth` entirely if your collector is open inside a private network:

```ts theme={null}
const config: TelemetryConfig = {
  serverName: 'my-server',
  serverVersion: '1.0.0',
  exporterEndpoint: 'http://otel-collector.cluster.local:4318/v1',
}
```

## Console exporter (no auth)

For local dev, skip the exporter entirely:

```ts theme={null}
const config: TelemetryConfig = {
  serverName: 'my-server',
  serverVersion: '1.0.0',
  exporterType: 'console',
}
```

No `exporterEndpoint` or `exporterAuth` is needed.

## How auth flows to safety checks

`instrumentServer` extracts the auth token from your config and stashes it for
`safetyCheck` to use. Both `bearer.token` and `apiKey.apiKey` get forwarded
to the safety endpoint as the `x-api-key` header.

```ts theme={null}
exporterAuth: { type: 'bearer', token: 'sk_live_xxx' }
// → safety API gets: x-api-key: sk_live_xxx

exporterAuth: { type: 'apiKey', apiKey: 'sk_live_xxx' }
// → safety API gets: x-api-key: sk_live_xxx
```

If you want a different credential for the safety API, call
`setTelemetryApiKey` directly:

```ts theme={null}
import { setTelemetryApiKey } from '@sedata-ai/mcp/dist/safety-check'

setTelemetryApiKey('different-key')
```

## Validation rules

`ConfigValidator` enforces that the right field is present for each type:

| `type`   | Required field            |
| -------- | ------------------------- |
| `bearer` | `token`                   |
| `apiKey` | `apiKey`                  |
| `basic`  | `username` and `password` |

Missing fields throw with a clear message at `instrumentServer` time — auth
problems fail loud, not silently.
