Authentication

Every connection to Thoughtbox uses an API key. Keys are scoped to a workspace — anything your agent records with a key (sessions, thoughts, knowledge) belongs to that workspace and only that workspace.

What a key looks like

Thoughtbox keys start with tbx_. The full key is shown once, when you create it. After that, only a short prefix is visible in the dashboard so you can identify which key is which.

If you lose a key, revoke it and create a new one. We can't recover the original — only the agent that copied it at creation time has it.

Creating a key

1. Sign in at thoughtbox.kastalienresearch.ai.
2. Open Settings → API Keys.
3. Click Create Key, give it a name (e.g. "claude-code-laptop"), and copy the key when it appears.

Naming keys is optional but recommended — when you have several active keys, the names tell you which agent or machine each one is for.

Installing a key

Install the key in your MCP client config — see the Quickstart for the exact steps. The key embeds in the MCP endpoint URL (https://mcp.kastalienresearch.ai/mcp?key=tbx_YOUR_KEY). Your client handles the rest.

Rotating a key

You can have several active keys at once, so rotation has no downtime:

1. Create a new key in Settings → API Keys.
2. Update your client config to point at the new key.
3. Confirm the new key works by talking to your agent.
4. Revoke the old key.

Revoking a key

In Settings → API Keys, click Revoke next to the key. It stops working immediately. The key record stays for audit purposes — it just can't authenticate any new requests.

Workspaces

Each key belongs to one workspace. Different keys for the same workspace see the same sessions, thoughts, and knowledge. Keys for different workspaces are fully isolated.

This is how you give different agents or teammates their own keys while sharing reasoning history. It's also how you keep client work separate from internal work — give each client a workspace, give each workspace its own keys.