Auth
YDB-Qdrant auth and scoped access
YDB-Qdrant uses namespace-oriented REST API keys for vector data and a separate bearer-token model for hosted Code Indexer MCP repository memory.
REST API key namespace
Send api-key on REST requests. The server derives a stable namespace from the key, then stores collection metadata and points under that namespace.
api-key: my-stable-namespace-key
- Use separate keys for separate apps, environments, workspaces, or agents.
- The key is the namespace boundary for collection and point operations.
- Anonymous fallback can depend on request metadata and is not recommended for stable agent workflows.
Version and retry headers
YDB-Qdrant-API-Version: 2026-05-28 Idempotency-Key: stable-mutation-key
- YDB-Qdrant-API-Version is optional and pins the current documented REST API contract.
- Idempotency-Key is optional and should be reused when retrying the same intended mutation.
- Neither header grants access; authorization still comes from api-key for REST and bearer tokens for Code Indexer MCP.
Optional tenant suffix
Send X-Tenant-Id when one integration key needs separate tenant or workspace namespaces.
X-Tenant-Id: workspace-42
- Tenant values are normalized for storage.
- The default tenant is used when the header is omitted.
- This is not OAuth and not a role-based permission system.
Practical REST access model
- Read operations cover collection metadata, point retrieval, search, and query within the namespace.
- Write operations cover collection create/delete, point upsert/delete, and compatibility index calls within the namespace.
- The current REST server does not enforce OAuth scopes or per-operation grants inside one api-key.
Agent auth discovery metadata
Agents can discover the current auth contract through OAuth protected-resource metadata. This file documents the existing REST api-key namespace model. It intentionally omits authorization_servers and scopes_supported because the REST backend does not accept OAuth access tokens or enforce OAuth scopes.
/.well-known/oauth-protected-resource
- OAuth protected resource metadata
- Root REST calls still send api-key rather than OAuth bearer access tokens.
Code Indexer MCP tokens
Code Indexer auth is separate from REST API keys. Users install the GitHub App, sign in through GitHub OAuth, and create MCP tokens in the dashboard.
Authorization: Bearer <mcp-token>
- MCP tokens are shown once, stored as hashes, and revocable.
- Hosted MCP tools are read-only repository memory tools.
- Repository scope follows the GitHub App installation selection and linked user.