API tokens
Personal tokens that authorize write tools (upload, publish, rollback, evaluate) from your agent, CI, or terminal. Send them as Authorization: Bearer <token>.
Give the token a name so you can recognise it later (e.g. which device or agent it's used from). Tokens without a name can't be minted — you'll thank us when you need to revoke one.
Tip: a good name describes where the token will live, e.g. claude-desktop, ci-deploy, cursor-mac.
Paste any token (or leave blank to use the freshly minted one above) to confirm it's recognized by the server.
How to use your token
Every write endpoint expects an Authorization header with the Bearer scheme. Read-only public endpoints work without it.
- Token is shown once — store it in a password manager or env var.
- Treat it like a password: don't commit to git, don't paste in chats.
- Revoke immediately if it leaks; mint a new one to replace it.
- One token per device/agent makes auditing and rotation easier.
Authorization: Bearer sas_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export SAS_TOKEN="sas_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
curl -X POST https://superagentskill.com/api/packages/upload \
-H "Authorization: Bearer $SAS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"files": [
{ "name": "triage.md", "content": "# Cardiology triage" }
],
"publish": false
}'const res = await fetch("https://superagentskill.com/api/packages/upload", {
method: "POST",
headers: {
Authorization: `Bearer ${process.env.SAS_TOKEN}`,
"Content-Type": "application/json",
},
body: JSON.stringify({ files, publish: false }),
});
if (!res.ok) throw new Error(`Upload failed: ${res.status}`);
const data = await res.json();Pass the token via the SAS_TOKEN env var. The MCP server forwards it as the Authorization header on every tool call.
See /connect for one-click snippets per tool.
{
"mcpServers": {
"super-agent-skill": {
"command": "npx",
"args": ["-y", "@superagentskill/mcp"],
"env": { "SAS_TOKEN": "sas_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }
}
}
}{
"tool": "upload_packages",
"arguments": {
"auth_token": "sas_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"files": [
{ "name": "triage.md", "content": "# Cardiology triage" },
{ "name": "tone.md", "content": "# Soul: warm clinician", "type": "soul" }
],
"publish": false
}
}- 401 Unauthorized — header missing or token revoked. Mint a new one above.
- 403 Forbidden — token valid but the action requires admin role or ownership.
- Malformed header — must be exactly
Bearer <token>(case-sensitive scheme, single space, no quotes).