CrewAI Authentication

Public read access

Content APIs are anonymous by default. Agents may call endpoints without a token; scoped credentials are optional for clients that enforce RBAC.

OAuth scopes

• openid — OpenID Connect identity
• profile — User profile claims
• email — Email address
• api.read — Read all public marketing JSON APIs
• content.blog.read — Read blog posts via GET /api/blog-posts
• content.case-studies.read — Read case studies via GET /api/case-studies
• content.webinars.read — Read webinars via GET /api/webinars
• content.events.read — Read events via GET /api/events
• mcp.tools.invoke — Invoke CrewAI MCP tools at POST /mcp

API key roles

• sandbox.read — Read-only access to public content APIs (maps to OAuth scope api.read) (OAuth: api.read)
• agent.mcp — Invoke MCP tools only (maps to mcp.tools.invoke) (OAuth: mcp.tools.invoke)

Authorization: Bearer crewai_site_sandbox_read

OAuth discovery (RFC 9727 / 8414)

• /.well-known/oauth-authorization-server
• /.well-known/openid-configuration
• /.well-known/oauth-protected-resource
• https://crewai.com/openapi.json