MCP Authentication

MCP clients authenticate to HERO with either a personal access token (works everywhere) or OAuth (when supported by your client). Pick the tab that matches your setup.

Personal access token
OAuth

Works with every stdio MCP client. Paste the token into your client’s config.

Open MCP Settings

Generate a token

Click Generate New Token. Copy the hero_at_* value — it’s shown once.

Paste into your client's config

Stdio MCP clients receive the token via the HERO_API_KEY environment variable in their server entry:

{
  "mcpServers": {
    "hero": {
      "command": "npx",
      "args": ["-y", "@myhero/mcp-server"],
      "env": { "HERO_API_KEY": "hero_at_..." }
    }
  }
}

Or set HERO_API_KEY in your shell/application environment directly.

Skip the manual token — @myhero/mcp-server signs you in automatically the first time it needs credentials. No paste, no rotate, no shell setup. If HERO_API_KEY is not set, the OAuth flow triggers on the next tool call.

Browser opens automatically

The MCP server starts a short-lived listener on a free localhost port and launches your default browser at HERO’s sign-in page.
You don’t run anything yourself.

Close the tab

HERO redirects back to the localhost listener and the page shows “Login successful! You can close this tab.” That’s the whole user-facing flow.

Done — credentials saved

The MCP server exchanges the authorization code for an access token (PKCE), writes it to ~/.hero/credentials.json with mode 0600, and refreshes automatically before expiry.
You won’t be prompted again unless the refresh token is revoked or you delete that file.

The server hits HERO’s standard OAuth endpoints under the hood — included for transparency, you don’t call them directly:

Endpoint	URL
Authorization URL	`https://app.myhero.so/oauth/authorize`
Token URL	`https://app.myhero.so/oauth/token`

Connect HERO to your AI tool Webhooks