Skip to main content
MedAI Tools supports two modes depending on your deployment:

Open Mode

For development and internal useNo authentication configuration required. All tools are accessible without credentials.

EkaCare OAuth

For production and partner deploymentsAuthenticate via Eka’s OIDC provider (accounts.eka.care). Required for the hosted remote server at medai-tools.eka.care.

Open Mode (Default)

If you start the server without any auth environment variables, it runs in open mode — no login required. You’ll see this in the logs: 
INFO: Running without auth
This is suitable for local development, internal networks, or trusted environments where access is controlled at the network level.

EkaCare OAuth Mode

For production deployments or when using the hosted server at https://medai-tools.eka.care/mcp, authentication is handled via EkaCare’s OIDC provider.

How It Works

There are two authentication paths:
  1. Full OIDC Flow — for external clients (Claude, ChatGPT, Cursor). Your AI client opens a browser window to accounts.eka.care, you log in, and the client receives an access token automatically.
  2. Direct Eka Token — for internal integrations. Pass a raw Eka API token via the Authorization header. The server validates it against api.eka.care and caches the result in Redis (5-minute TTL for valid tokens, 30-second TTL for invalid ones).

Self-hosted OAuth Setup

To enable EkaCare OAuth on your own instance, set the following environment variables:
VariableRequiredDescription
FASTMCP_SERVER_AUTH_EKACARE_BASE_URLYesPublic URL of your server instance (e.g. https://medai.yourdomain.com)
FASTMCP_SERVER_AUTH_EKACARE_CLIENT_IDYesOAuth client ID issued by Eka
FASTMCP_SERVER_AUTH_EKACARE_CLIENT_SECRETYesOAuth client secret
FASTMCP_SERVER_AUTH_EKACARE_CLIENT_STORAGE_BENoRedis URL for token caching (e.g. redis://localhost:6379/0) — improves validation performance
Add to your .env file:
.env
FASTMCP_SERVER_AUTH_EKACARE_BASE_URL=https://medai.yourdomain.com
FASTMCP_SERVER_AUTH_EKACARE_CLIENT_ID=your_client_id
FASTMCP_SERVER_AUTH_EKACARE_CLIENT_SECRET=your_client_secret
FASTMCP_SERVER_AUTH_EKACARE_CLIENT_STORAGE_BE=redis://localhost:6379/0
Never commit .env files or credentials to version control. Use .gitignore to exclude them, and use separate credentials for development and production.

Token Caching with Redis

Redis is optional but recommended for production. Without it, every tool call triggers a live token validation request to api.eka.care. With Redis:
  • Valid tokens are cached for 5 minutes
  • Invalid/expired tokens are cached for 30 seconds (prevents hammering the auth API)

Getting OAuth Credentials

To obtain a Client ID and Secret for a self-hosted deployment, contact: ekaconnect@eka.care Include:
  • Your organization name
  • Deployment URL (the BASE_URL you plan to use)
  • Intended use case
For the hosted server (https://medai-tools.eka.care/mcp), authentication is managed by Eka — you only need an Eka account. OAuth credentials are only needed for self-hosted deployments.