Super Agent Skill
Start
Account

API tokens

Personal tokens that authorize write tools (upload, publish, rollback, evaluate) from your agent, CI, or terminal. Send them as Authorization: Bearer <token>.

New token
Validate a token

Paste any token (or leave blank to use the freshly minted one above) to confirm it's recognized by the server.

Active tokens
Loading…

How to use your token

1. Authorization header

Every write endpoint expects an Authorization header with the Bearer scheme. Read-only public endpoints work without it.

  • Token is shown once — store it in a password manager or env var.
  • Treat it like a password: don't commit to git, don't paste in chats.
  • Revoke immediately if it leaks; mint a new one to replace it.
  • One token per device/agent makes auditing and rotation easier.
Authorization: Bearer sas_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2. curl
export SAS_TOKEN="sas_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

curl -X POST https://superagentskill.com/api/packages/upload \
  -H "Authorization: Bearer $SAS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "files": [
      { "name": "triage.md", "content": "# Cardiology triage" }
    ],
    "publish": false
  }'
3. JavaScript / fetch
const res = await fetch("https://superagentskill.com/api/packages/upload", {
  method: "POST",
  headers: {
    Authorization: `Bearer ${process.env.SAS_TOKEN}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ files, publish: false }),
});
if (!res.ok) throw new Error(`Upload failed: ${res.status}`);
const data = await res.json();
4. MCP client config (Cursor / Claude Code / Codex / VS Code)

Pass the token via the SAS_TOKEN env var. The MCP server forwards it as the Authorization header on every tool call.

See /connect for one-click snippets per tool.

{
  "mcpServers": {
    "super-agent-skill": {
      "command": "npx",
      "args": ["-y", "@superagentskill/mcp"],
      "env": { "SAS_TOKEN": "sas_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }
    }
  }
}
5. Inline MCP tool call (legacy / no env)
{
  "tool": "upload_packages",
  "arguments": {
    "auth_token": "sas_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "files": [
      { "name": "triage.md", "content": "# Cardiology triage" },
      { "name": "tone.md",   "content": "# Soul: warm clinician", "type": "soul" }
    ],
    "publish": false
  }
}
Common errors
  • 401 Unauthorized — header missing or token revoked. Mint a new one above.
  • 403 Forbidden — token valid but the action requires admin role or ownership.
  • Malformed header — must be exactly Bearer <token> (case-sensitive scheme, single space, no quotes).