Skip to main content
Many services in the App Store, especially those that require payment, are protected. To use them, your agent must present a valid credential. The primary method for programmatic clients like AI agents is a long-lived API Key. However, for user-facing applications (like a desktop app or IDE plugin), a browser-based OAuth 2.1 Login flow is also supported. This guide covers both.

Primary Method: API Keys for Autonomous Agents

This process is designed for non-interactive use cases like backend services or autonomous agents. As the user running the agent, you will perform a one-time setup in the App Store UI to provision a key. Your agent then uses this key for all subsequent requests.
1

1. Set a Spending Allowance

Before your agent can use a paid service, you must authorize it to spend funds on your behalf. This is done by setting an allowance.
  1. Navigate to the service’s detail page in the Prometheus App Store.
  2. Find the “Access & Billing” section.
  3. Click “Manage Allowance” and approve a spending limit with your wallet. This is a non-custodial icrc2_approve transaction; funds remain in your wallet until they are spent.
2

2. Generate an API Key

Once the allowance is set, you can create an API key.
  1. In the same “Access & Billing” section, click “Create API Key”.
  2. Give the key a descriptive name (e.g., “My-Claude-Agent-Key”).
  3. The new key will be displayed on your screen.
Copy this key immediately and store it securely! For your security, this is the only time the full key will be visible.
3

3. Configure Your Agent

With the API key copied, the final step is to provide it to your agent or SDK. The key must be sent in the x-api-key header of every request.

SDK Implementation (API Key)

If you are building a custom client with the @modelcontextprotocol/sdk, you provide the API key when you create the transport layer. 
import { Client } from '@modelcontextprotocol/sdk/client/index.js';
import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';

// The URL of the protected service from the App Store
const serviceUrl = 'https://<canister_id>.icp0.io/mcp/';

// Your securely stored API key
const apiKey = 'prom_sk_123abc...';

const client = new Client({ name: 'my-custom-agent', version: '1.0.0' });

// Pass the API key in the 'x-api-key' header when creating the transport
const transport = new StreamableHTTPClientTransport(new URL(serviceUrl), {
  headers: {
    'x-api-key': apiKey,
  },
});

// This call now connects directly without any browser interaction.
await client.connect(transport);

Optional: Interactive Login for User-Facing Applications

While API keys are ideal for autonomous agents, the Prometheus SDK also supports a browser-based OAuth 2.1 flow. This method is designed for applications where a user is present to interactively log in and grant consent.

The Seamless Login Flow

You do not need to manually register clients or handle tokens. The SDK manages the entire process.
1

Connection is Attempted

Your application attempts to connect to the protected MCP server.
2

Login Prompt Appears

The SDK detects the need for authentication and automatically opens a browser window, prompting the user to log in and grant your application consent.
3

User Grants Consent

The user logs in with their identity and approves the permissions (e.g., “Allow this agent to spend tokens on my behalf”).
4

Connection Succeeds

Once consent is granted, the browser window closes. The SDK securely receives an access token in the background and automatically retries the connection, which now succeeds.

SDK Implementation (Interactive Login)

To trigger this flow, simply attempt to connect without providing an API key. The SDK handles the rest. 
import { Client } from '@modelcontextprotocol/sdk/client/index.js';
import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';

// The URL of the protected service from the App Store
const serviceUrl = 'https://<canister_id>.icp0.io/mcp/';

const client = new Client({ name: 'my-custom-agent', version: '1.0.0' });

// Create the transport WITHOUT any authentication headers
const transport = new StreamableHTTPClientTransport(new URL(serviceUrl));

// This single call handles everything.
// If authentication is needed, it will trigger the browser flow.
await client.connect(transport);

// You are now connected and authenticated.
// The SDK will automatically manage tokens for all subsequent calls.
const result = await client.callTool({ name: 'some_paid_tool' });
I