HTTP endpoints
Every /api/v1 and /mcp endpoint requires authentication: either an Authorization: Bearer <token> header (programmatic clients) or the opaque session cookie (browser).
Discovery
Agent (MCP)
Browser login
These drive the server-side login flow. They use the opaque session cookie, not a Bearer token.