Authentication
Gigma uses two authentication methods:
1. Google OAuth (Web UI)
The browser editor uses Google Sign-In. After authentication:
- A JWT token is generated (valid for 30 days)
- The JWT is stored in
localStorageand sent asAuthorization: Bearer <jwt>header - All
/api/*endpoints require this JWT
2. MCP Token (AI Agents)
Each user gets a unique MCP token embedded in their MCP URL:
https://gigma-mcp-server-854058119143.us-central1.run.app/mcp/t/<TOKEN>/
- The token is a 32-byte random
base64urlstring - Generated automatically on first login
- No OAuth needed — just paste the URL into your MCP config
- The token identifies the user and grants access to their most recent project
Token Security
- Tokens are stored in MongoDB with a unique index
- Each token maps to exactly one user
- Tokens do not expire (can be regenerated in the future)
- Treat your MCP URL like a password — anyone with it can modify your canvas
API Endpoints
Web API (requires JWT)
| Method | Path | Description |
|---|---|---|
| POST | /api/auth/google |
Exchange Google credential for JWT |
| GET | /api/projects |
List user's projects |
| POST | /api/projects |
Create project |
| GET | /api/projects/:id |
Get project with elements |
| PUT | /api/projects/:id |
Save project |
| DELETE | /api/projects/:id |
Delete project |
| GET | /api/mcp-link |
Get user's MCP URL |
| POST | /api/projects/:id/export |
Export via MCP server |
MCP Endpoint (requires token in URL)
| Method | Path | Description |
|---|---|---|
| ALL | /mcp/t/:token |
MCP Streamable HTTP endpoint |
| GET | /health |
Health check (no auth) |