Auth
YDB-Qdrant auth and scoped access
YDB-Qdrant uses namespace-oriented REST API keys for vector data and a separate bearer-token model for hosted Code Indexer MCP repository memory.
REST API key namespace
Send api-key on REST requests. The server derives a stable namespace from the key, then stores collection metadata and points under that namespace.
api-key: my-stable-namespace-key
- Use separate keys for separate apps, environments, workspaces, or agents.
- The key is the namespace boundary for collection and point operations.
- Anonymous fallback can depend on request metadata and is not recommended for stable agent workflows.
Optional tenant suffix
Send X-Tenant-Id when one integration key needs separate tenant or workspace namespaces.
X-Tenant-Id: workspace-42
- Tenant values are normalized for storage.
- The default tenant is used when the header is omitted.
- This is not OAuth and not a role-based permission system.
Practical REST permissions
namespace:read: collection metadata, point retrieval, search, and query within the namespace.namespace:write: collection create/delete, point upsert/delete, and compatibility index calls within the namespace.- The current REST server does not enforce per-operation grants inside one api-key.
Code Indexer MCP tokens
Code Indexer auth is separate from REST API keys. Users install the GitHub App, sign in through GitHub OAuth, and create MCP tokens in the dashboard.
Authorization: Bearer <mcp-token>
- MCP tokens are shown once, stored as hashes, and revocable.
- Hosted MCP tools are read-only repository memory tools.
- Repository scope follows the GitHub App installation selection and linked user.