How does an AI agent authenticate to OntoRamp’s MCP server?

An agent authenticates with an OntoRamp API key presented as an HTTP Bearer token: Authorization: Bearer YOUR_API_KEY, sent on every Model Context Protocol request to https://mcp.ontoramp.com/mcp (Streamable HTTP transport). Register a free key at https://ontoramp.com/mcp.

What happens if an agent calls the MCP server without a key?

The server returns HTTP 401 with a standards-based WWW-Authenticate Bearer challenge (RFC 6750). The challenge carries realm, error, error_description, and an error_uri that points to the key-registration page, so an agent can recover the authentication requirement programmatically.

Does OntoRamp’s MCP server use OAuth or an API key?

The governed MCP server authenticates with a static API key carried as a Bearer token. The 401 response uses the same WWW-Authenticate Bearer challenge format that OAuth bearer-token flows use (RFC 6750), but no OAuth authorization-code exchange is required — register a key and send it.

Is there a free tier for AI agents?

Yes. The free developer tier needs no card and covers a generous monthly allowance across the governance tools. Running projections and the higher-volume plugins are Org tier; see ontoramp.com/pricing.

How an AI Agent Authenticates to a Governed MCP Server

Authenticating an AI agent to a governed MCP server

OntoRamp exposes its governance intelligence to AI agents through a governed Model Context Protocol (MCP) server. Every request is authenticated with an OntoRamp API key, presented as an HTTP Bearer token. The server is “governed” in the literal sense: it authenticates the caller, scopes what tools the key can reach, and meters usage by tier — so an agent's access to governance data is itself a governed boundary, not an open endpoint.

This page documents the authentication model exactly as the live server implements it, including the challenge an unauthenticated request receives.

The authentication model

Authentication is a Bearer API key over the MCP Streamable HTTP transport. There is no OAuth authorization-code exchange to perform: an agent registers a key once, then presents it on every call. A legacy SSE-named alias accepts the same key as a query parameter for older clients.

# Streamable HTTP endpoint (recommended)
POST https://mcp.ontoramp.com/mcp
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json

{ "jsonrpc": "2.0", "id": 1, "method": "tools/list" }

Discovering where to authenticate

An agent that calls the server without a valid key does not get a bare rejection. The server answers with 401 Unauthorized and a standards-based WWW-Authenticate Bearer challenge (RFC 6750). The challenge names the realm, the error, and an error_uri that points straight at the key-registration page — enough for an agent to recover and self-register without a human in the loop.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="OntoRamp MCP", error="invalid_token",
  error_description="Provide a valid OntoRamp API key as a Bearer token;
  register at https://ontoramp.com/mcp", error_uri="https://ontoramp.com/mcp"

{ "error": "Missing or invalid Authorization header" }

The challenge format is the same one OAuth bearer-token resources use, so an MCP client that already understands Bearer challenges needs no special casing here.

Tiers and scope

A single OntoRamp key authenticates against the gateway and the per-plugin mounts; what differs by tier is how much you can call and which tools are unlocked. The free developer tier needs no card and covers a generous monthly allowance; the Org tier removes per-tool quotas.

Register a key on the MCP plugin hub, read the full tool catalogue in the MCP API reference, or see how an agent discovers and transacts with the server in agent discovery.

Endpoint host: https://mcp.ontoramp.com