Authentication & Security
This page consolidates every authentication and security control across the Prezent platform into one reference: how each surface authenticates, how API keys are scoped to least privilege, and the transport- and payload-integrity guarantees you can build on.
If you just want to make your first call, start with Getting Started → Authentication. This page is the deeper, security-focused companion.
Auth model by surface
Prezent exposes several surfaces. They share one credential family (the Prezent API key) but differ in how that credential reaches the server.
| Surface | Auth mechanism |
|---|---|
Platform API (api.prezent.ai) | API key as Bearer token — Authorization: Bearer <api_key> |
Hosted MCP (mcp.myprezent.com) | OAuth 2.1 authorization code + PKCE; the server exchanges the resulting token for your Prezent API key server-side |
| Local MCP (stdio server) | Bearer — API key supplied via the PRESENTATION_API_TOKEN environment variable |
SCIM (/api/v1/scim/*) | Bearer (RFC 7644 contract) — Authorization: Bearer <api_key> |
A few clarifications worth calling out explicitly:
- SCIM uses Bearer, not OAuth. The SCIM User Management API follows the RFC 7644 protocol contract, but it authenticates with the same Bearer API key as the rest of the platform — there is no separate OAuth flow for SCIM. See SCIM → Authentication.
- Only the Hosted MCP surface uses OAuth. OAuth 2.1 (authorization code + PKCE) is how Claude.ai and other remote MCP clients obtain a token without ever handling your raw API key; the hosted server exchanges that token for your API key behind the scenes, so the key never leaves Prezent infrastructure. Details in Agents & MCP → Authentication.
Bearer authentication
Every Platform API request carries the API key in the Authorization header:
Authorization: Bearer YOUR_API_KEY
- API keys are issued by your Customer Success Manager. Self-service key generation is not currently supported.
- The API authenticates on the
Authorization: Bearerheader only — the AWSx-api-keyheader is not accepted. - Keys may carry an
expiry_dateand astatus. A request made with an expired key is rejected with401 EXPIRED_API_KEY, and the key's status is flipped toexpired. - API keys are masked after generation. You can download and view a key exactly once at issue time; afterward it cannot be retrieved again, so store it securely.
Scoped API keys & least-privilege permissions
Every Prezent API key is a least-privilege, per-endpoint scoped token.
It carries an explicit server-side allow-list of permitted API paths,
not blanket account access. A request to any path outside the key's
allow-list returns 404 ENDPOINT_NOT_FOUND — the same response as a
non-existent route, so an out-of-scope path is not even distinguishable
from one that does not exist. Scope is enforced on every request,
after the key is authenticated and before any handler runs.
Path patterns can include {param} placeholders (for example
/api/v1/template-conversions/{callback_id}/download), so a scope covers
a resource family without enumerating every id.
Scope profiles
A key is provisioned for exactly the surface an integration needs. Each profile below is simply a named set of permitted paths — a key can be scoped to any one of them, a combination, or down to a single endpoint:
| Profile | Permitted paths (example) | Use case |
|---|---|---|
| Generation | /api/v1/autogenerations, /api/v1/autogenerations/{callback_id}, /api/v1/autogenerations/{callback_id}/downloads, /api/v1/autogenerations/{callback_id}/regenerations | Create decks and fetch results |
| Template conversion | /api/v1/template-conversions, /api/v2/template-converter/status/{callback_id}, /api/v1/template-conversions/{callback_id}/download | Apply a brand template and download |
| Audiences (read-only) | /api/v1/audiences, /api/v1/audiences/search | List and search audience profiles |
| Themes & templates (read-only) | /api/v1/themes, /api/v1/templates | Discover brand themes/templates |
| Webhook management | /api/v1/webhook-subscriptions, /api/v1/webhook-subscriptions/{id}, /api/v1/webhook-subscriptions/{id}/rotate-secret, /api/v1/webhook-subscriptions/{id}/test | Manage event subscriptions |
| SCIM provisioning | /api/v1/scim/* | User provisioning (RFC 7644) |
A leaked or misused key can only ever reach the endpoints it was issued for — an agent never holds more authority than its narrowest task needs.
How scopes are provisioned
- Scopes are provisioned by Prezent, per key, to match your integration. They are server-side path allow-lists — not OAuth scope strings, not token claims, and not self-service.
- To issue a key or change its scope, contact your Customer Success Manager. Keys are least-privilege by default: request only the paths an integration actually needs.
- Use a separate, narrowly-scoped key per integration and per environment so each can be monitored and revoked independently.
Requesting a scoped key
Give your CSM the exact scope so the key is provisioned minimally:
Integration: <name, e.g. "marketing-deck-bot">
Environment: <production | UAT | development>
Scope: <a profile above, or an explicit list of permitted paths>
Expiry: <optional expiry date>
Because scope enforcement returns 404, treat an unexpected
404 ENDPOINT_NOT_FOUND on a known-good path as a possible scope
problem, not just a typo.
API key hygiene
Treat API keys as long-lived secrets equivalent to a password.
- Store server-side only. Keep keys in a secrets manager or server-side environment variable. Never embed an API key in client-side code (browser JavaScript, mobile apps, public repos) where it can be extracted.
- Never commit or log keys. Keep keys out of source control, CI logs,
error trackers, and analytics. Scrub
Authorizationheaders from any request logging. - Use separate keys per environment. Issue distinct keys for development, staging/UAT, and production so you can scope, monitor, and revoke them independently. The platform exposes separate hosts per environment (see Base URL).
- Rotate on exposure. If a key is exposed, contact your Customer Success Manager to have it rotated and the old key revoked.
- Scope down. Request keys scoped to only the endpoints an integration needs (see Scoped API keys & permissions).
Webhook signing secrets follow the
whsec_prefix convention (see Payload integrity). Like API keys, a webhook secret is shown once at creation and is masked on subsequent reads.
Transport security
- All Prezent API traffic is served exclusively over HTTPS. Every
published environment host — production (
api.prezent.ai), UAT, and development — is anhttps://endpoint. There is no plaintext-HTTP host. - Webhook delivery targets must also be HTTPS. When you register a webhook
subscription, an
http://target URL is rejected outright with400 INVALID_URL_SCHEME, and targets that resolve to private, loopback, link-local, or metadata-service addresses are rejected to prevent SSRF. See Webhooks → URL requirements.
Payload integrity (webhook signing)
When Prezent pushes events to your endpoint, every delivery is signed so you can prove it came from Prezent and was not tampered with in transit.
- Each subscription is issued an HMAC secret (prefix
whsec_), returned once at creation; subsequent reads expose only thesecret_prefix. - Every delivery carries an
X-Prezent-Signature: t=<unix>,v1=<hex>header. Thev1value is an HMAC-SHA256 of"{timestamp}.{raw_body}"keyed on your secret (a Stripe-compatible scheme). - Verify with a constant-time comparison and reject deliveries whose timestamp is outside a small tolerance (we recommend 5 minutes) to defeat replay of an intercepted payload.
Full verification walkthrough with cURL, Python, and Node.js examples: Webhooks → Verify the signature.
See also
- Getting Started → Authentication — first-call setup.
- Webhooks — signed delivery, secret rotation, SSRF protections.
- Agents & MCP → Authentication — hosted OAuth 2.1 vs. local Bearer.
- SCIM — User Management — RFC 7644 Bearer contract.
- Developer Guide — error codes, rate limits, best practices.