added api key based authentication

README.md

@@ -72,6 +72,7 @@ FleetMind is a production-ready **Model Context Protocol (MCP) server** that tra
 
 ### Key Features
 
+✅ **🔑 API Key Authentication** - Secure multi-tenant access with personal API keys
 ✅ **29 AI Tools** - Order, Driver & Assignment Management (including Gemini 2.0 Flash AI)
 ✅ **2 Real-Time Resources** - Live data feeds (orders://all, drivers://all)
 ✅ **Google Maps Integration** - Geocoding & Route Calculation with traffic data
@@ -155,30 +156,70 @@ FleetMind isn't just an MCP server—it's a **blueprint for enterprise AI integr
 
 ### Connect from Claude Desktop
 
-1. **Install Claude Desktop** from https://claude.ai/download
+#### **Step 1: Get Your API Key** 🔑
 
-2. **Configure MCP Server** - Edit your `claude_desktop_config.json`:
+Visit the FleetMind server and generate your personal API key:
+
+👉 **https://mcp-1st-birthday-fleetmind-dispatch-ai.hf.space/generate-key**
+
+1. Enter your email address
+2. Enter your name (optional)
+3. Click "Generate API Key"
+4. **Copy your API key immediately** - it won't be shown again!
+
+Your API key will look like: `fm_xxxxxxxxxxxxxxxxxxxxxxxx`
+
+#### **Step 2: Install Claude Desktop**
+
+Download from: https://claude.ai/download
+
+#### **Step 3: Configure MCP Server**
+
+Edit your `claude_desktop_config.json`:
 
 **For Production (HuggingFace Space):**
 ```json
 {
   "mcpServers": {
-    "fleetmind_Prod": {
+    "fleetmind": {
       "command": "npx",
       "args": [
         "mcp-remote",
         "https://mcp-1st-birthday-fleetmind-dispatch-ai.hf.space/sse"
-      ]
+      ],
+      "env": {
+        "FLEETMIND_API_KEY": "fm_your_api_key_here"
+      }
     }
   }
 }
 ```
 
-**For Local Development:**
+⚠️ **Important:** Replace `fm_your_api_key_here` with your actual API key from Step 1!
+
+**For Local Development (with API Key):**
 ```json
 {
   "mcpServers": {
-    "fleetmind": {
+    "fleetmind_local": {
+      "command": "npx",
+      "args": [
+        "mcp-remote",
+        "http://localhost:7860/sse"
+      ],
+      "env": {
+        "FLEETMIND_API_KEY": "your_local_api_key"
+      }
+    }
+  }
+}
+```
+
+**For Local Development (SKIP_AUTH mode):**
+```json
+{
+  "mcpServers": {
+    "fleetmind_local": {
       "command": "npx",
       "args": [
         "mcp-remote",
@@ -188,26 +229,35 @@ FleetMind isn't just an MCP server—it's a **blueprint for enterprise AI integr
   }
 }
 ```
+*Set `SKIP_AUTH=true` in your `.env` file for local testing without API keys*
 
 **Both (Production + Local):**
 ```json
 {
   "mcpServers": {
-    "fleetmind": {
+    "fleetmind_local": {
       "command": "npx",
-      "args": ["mcp-remote", "http://localhost:7860/sse"]
+      "args": ["mcp-remote", "http://localhost:7860/sse"],
+      "env": {
+        "FLEETMIND_API_KEY": "your_local_key"
+      }
     },
-    "fleetmind_Prod": {
+    "fleetmind": {
       "command": "npx",
-      "args": ["mcp-remote", "https://mcp-1st-birthday-fleetmind-dispatch-ai.hf.space/sse"]
+      "args": ["mcp-remote", "https://mcp-1st-birthday-fleetmind-dispatch-ai.hf.space/sse"],
+      "env": {
+        "FLEETMIND_API_KEY": "your_production_key"
+      }
     }
   }
 }
 ```
 
-3. **Restart Claude Desktop** - FleetMind tools will appear automatically!
+#### **Step 4: Restart Claude Desktop**
+
+Restart Claude Desktop - FleetMind tools will appear automatically!
 
-4. **Try it out:**
+#### **Step 5: Try It Out!**
    - "Create an urgent delivery order for Sarah at 456 Oak Ave, San Francisco"
    - "Use intelligent AI assignment to find the best driver for this order"
    - "Show me all available drivers"
@@ -472,6 +522,7 @@ CREATE TABLE drivers (
 - Python 3.10+
 - PostgreSQL database (or use Neon serverless)
 - Google Maps API key
+- Google Gemini API key (for AI features)
 
 ### Setup
 
@@ -488,17 +539,40 @@ cp .env.example .env
 # Edit .env with your credentials:
 #   DB_HOST, DB_PORT, DB_NAME, DB_USER, DB_PASSWORD
 #   GOOGLE_MAPS_API_KEY
+#   GOOGLE_API_KEY (for Gemini)
+#   SKIP_AUTH=true  # For local development without API keys
 
-# Test server
-python -c "import server; print('Server ready!')"
-
-# Run locally (stdio mode for Claude Desktop)
-python server.py
+# Run database migrations
+python database/migrations/001_initial_schema.py
+# ... run all migrations
 
 # Run locally (SSE mode for web clients)
 python app.py
 ```
 
+### API Key Management (Local)
+
+**Generate API Keys:**
+```bash
+# Interactive mode
+python generate_api_key.py
+
+# With arguments
+python generate_api_key.py --email user@example.com --name "Test User"
+
+# List all keys
+python generate_api_key.py --list
+
+# Revoke a key
+python generate_api_key.py --revoke user@example.com
+```
+
+**Web Interface:**
+Visit http://localhost:7860/generate-key to generate keys via web form.
+
+**Development Mode (No API Keys):**
+Set `SKIP_AUTH=true` in `.env` to bypass authentication for local testing.
+
 ### Testing
 
 ```bash
@@ -554,6 +628,53 @@ Upload files directly to HF Space:
 
 ---
 
+## 🔒 Authentication & Security
+
+FleetMind uses **API Key authentication** for secure multi-tenant access:
+
+### How It Works
+
+1. **User generates API key** via web interface (`/generate-key`)
+2. **API key is hashed** (SHA-256) before storage - never stored in plaintext
+3. **User adds key** to Claude Desktop config in `env.FLEETMIND_API_KEY`
+4. **Server validates key** on each request
+5. **Data is isolated** - each user only sees their own orders/drivers
+
+### Security Features
+
+- ✅ **One-Time Display** - API keys shown only once during generation
+- ✅ **Hashed Storage** - SHA-256 hashing, never stored in plaintext
+- ✅ **Multi-Tenant** - Complete data isolation per user
+- ✅ **Easy Revocation** - Keys can be revoked via CLI or web interface
+- ✅ **Development Mode** - `SKIP_AUTH=true` for local testing
+
+### API Key Format
+
+```
+fm_LAISKBMKmQxoapDbLIhr_KqbVL69AS58wBtdpYfbQ10
+```
+
+- Prefix: `fm_` (FleetMind)
+- 43 random characters (URL-safe base64)
+- Unique per user
+
+### Managing Keys
+
+```bash
+# Generate new key
+python generate_api_key.py --email user@example.com
+
+# List all keys
+python generate_api_key.py --list
+
+# Revoke a key
+python generate_api_key.py --revoke user@example.com
+```
+
+Or use the web interface: `http://localhost:7860/generate-key`
+
+---
+
 ## 📝 Environment Variables
 
 Required:
@@ -567,6 +688,10 @@ DB_PASSWORD=your_password
 
 # Google Maps API
 GOOGLE_MAPS_API_KEY=your_api_key
+
+# Google Gemini API
+GOOGLE_API_KEY=your_gemini_key
+AI_PROVIDER=gemini
 ```
 
 Optional:
@@ -575,6 +700,10 @@ Optional:
 PORT=7860
 HOST=0.0.0.0
 LOG_LEVEL=INFO
+SERVER_URL=http://localhost:7860
+
+# Authentication
+SKIP_AUTH=true  # Set to false for production
 ```
 
 ---

app.py

@@ -94,25 +94,9 @@ if __name__ == "__main__":
     logger.info("=" * 70)
 
     try:
-        # Add landing page and OAuth metadata using custom_route decorator
+        # Add web routes for landing page and API key generation
         from starlette.responses import HTMLResponse, JSONResponse
-
-        @mcp.custom_route("/.well-known/oauth-protected-resource", methods=["GET"])
-        async def oauth_metadata(request):
-            """OAuth 2.0 Protected Resource Metadata (RFC 9728)"""
-            return JSONResponse({
-                "resource": os.getenv('SERVER_URL', 'http://localhost:7860'),
-                "authorization_servers": [
-                    "https://test.stytch.com/v1/public"
-                ],
-                "scopes_supported": [
-                    "orders:read", "orders:write",
-                    "drivers:read", "drivers:write",
-                    "assignments:manage", "admin"
-                ],
-                "bearer_methods_supported": ["header"],
-                "resource_signing_alg_values_supported": ["RS256"]
-            })
+        from database.api_keys import generate_api_key as db_generate_api_key
 
         @mcp.custom_route("/", methods=["GET"])
         async def landing_page(request):
@@ -155,7 +139,15 @@ if __name__ == "__main__":
             <code>https://mcp-1st-birthday-fleetmind-dispatch-ai.hf.space/sse</code>
         </div>
 
-        <h3>⚙️ Claude Desktop Configuration</h3>
+        <h3>🔑 Step 1: Get Your API Key</h3>
+        <p style="text-align: center; margin: 20px 0;">
+            <a href="/generate-key" style="display: inline-block; background: #3b82f6; color: white; padding: 15px 30px; border-radius: 8px; text-decoration: none; font-weight: bold; font-size: 18px;">
+                Generate API Key →
+            </a>
+        </p>
+        <p>Click the button above to generate your unique API key. You'll need this to authenticate with the server.</p>
+
+        <h3>⚙️ Step 2: Configure Claude Desktop</h3>
         <p>Add this to your <code>claude_desktop_config.json</code> file:</p>
         <pre>{
   "mcpServers": {
@@ -164,16 +156,20 @@ if __name__ == "__main__":
       "args": [
         "mcp-remote",
         "https://mcp-1st-birthday-fleetmind-dispatch-ai.hf.space/sse"
-      ]
+      ],
+      "env": {
+        "FLEETMIND_API_KEY": "fm_your_api_key_here"
+      }
     }
   }
 }</pre>
 
-        <h3>📋 How to Connect</h3>
+        <h3>📋 Step 3: Connect</h3>
         <ol>
+            <li><strong>Generate your API key</strong> using the button above</li>
             <li>Install <a href="https://claude.ai/download" target="_blank">Claude Desktop</a></li>
             <li>Locate your <code>claude_desktop_config.json</code> file</li>
-            <li>Add the configuration shown above</li>
+            <li>Add the configuration (replace <code>fm_your_api_key_here</code> with your actual key)</li>
             <li>Restart Claude Desktop</li>
             <li>Look for "FleetMind" in the 🔌 tools menu</li>
         </ol>
@@ -211,6 +207,7 @@ if __name__ == "__main__":
 
         <h2>⭐ Key Features</h2>
         <ul>
+            <li><strong>🔑 API Key Authentication</strong> - Secure multi-tenant access with personal API keys</li>
             <li><strong>🧠 Gemini 2.0 Flash AI</strong> - Intelligent order assignment with detailed reasoning</li>
             <li><strong>🌦️ Weather-Aware Routing</strong> - Safety-first delivery planning with OpenWeatherMap</li>
             <li><strong>🚦 Real-Time Traffic</strong> - Google Routes API integration with live traffic data</li>
@@ -239,7 +236,149 @@ if __name__ == "__main__":
 </html>
             """)
 
+        @mcp.custom_route("/generate-key", methods=["GET", "POST"])
+        async def generate_key_page(request):
+            """API Key generation page"""
+            if request.method == "GET":
+                return HTMLResponse("""
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Generate FleetMind API Key</title>
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Arial, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; background: #0f172a; color: #e2e8f0; }
+        .container { background: #1e293b; padding: 40px; border-radius: 12px; box-shadow: 0 8px 16px rgba(0,0,0,0.4); }
+        h1 { color: #f1f5f9; }
+        input { width: 100%; padding: 12px; margin: 10px 0; border-radius: 6px; border: 1px solid #334155; background: #0f172a; color: #e2e8f0; font-size: 16px; }
+        button { background: #3b82f6; color: white; border: none; padding: 12px 24px; border-radius: 6px; font-size: 16px; cursor: pointer; width: 100%; }
+        button:hover { background: #2563eb; }
+        .info { background: #1e3a5f; padding: 15px; border-radius: 6px; margin: 15px 0; border-left: 4px solid #3b82f6; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>🔑 Generate API Key</h1>
+        <p>Create your FleetMind MCP Server API key</p>
+
+        <div class="info">
+            <strong>📋 What you'll need:</strong><br>
+            • Your email address<br>
+            • Your name (optional)<br>
+            <br>
+            After generation, you'll get an API key to use with Claude Desktop.
+        </div>
+
+        <form method="POST">
+            <input type="email" name="email" placeholder="Your email address" required>
+            <input type="text" name="name" placeholder="Your name (optional)">
+            <button type="submit">Generate API Key</button>
+        </form>
+
+        <p style="text-align: center; margin-top: 20px;">
+            <a href="/" style="color: #60a5fa; text-decoration: none;">← Back to Home</a>
+        </p>
+    </div>
+</body>
+</html>
+                """)
+
+            # POST - Generate API key
+            else:
+                try:
+                    form_data = await request.form()
+                    email = form_data.get("email")
+                    name = form_data.get("name") or None
+
+                    if not email:
+                        return HTMLResponse("<h1>Error: Email is required</h1>", status_code=400)
+
+                    result = db_generate_api_key(email, name)
+
+                    if not result['success']:
+                        return HTMLResponse(f"<h1>Error: {result['error']}</h1>", status_code=400)
+
+                    # Success - show the API key (one time only!)
+                    return HTMLResponse(f"""
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Your FleetMind API Key</title>
+    <style>
+        body {{ font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Arial, sans-serif; max-width: 800px; margin: 50px auto; padding: 20px; background: #0f172a; color: #e2e8f0; }}
+        .container {{ background: #1e293b; padding: 40px; border-radius: 12px; box-shadow: 0 8px 16px rgba(0,0,0,0.4); }}
+        h1 {{ color: #f1f5f9; }}
+        .success {{ background: #10b981; padding: 15px; border-radius: 6px; margin: 15px 0; }}
+        .warning {{ background: #ef4444; padding: 15px; border-radius: 6px; margin: 15px 0; }}
+        code {{ background: #334155; color: #60a5fa; padding: 3px 8px; border-radius: 4px; font-family: 'Courier New', monospace; display: block; margin: 10px 0; word-wrap: break-word; font-size: 14px; }}
+        pre {{ background: #0f172a; color: #f1f5f9; padding: 20px; border-radius: 8px; overflow-x: auto; border: 1px solid #334155; }}
+        button {{ background: #3b82f6; color: white; border: none; padding: 12px 24px; border-radius: 6px; font-size: 16px; cursor: pointer; margin: 10px 5px; }}
+        button:hover {{ background: #2563eb; }}
+    </style>
+    <script>
+        function copyKey() {{
+            navigator.clipboard.writeText('{result["api_key"]}');
+            alert('API key copied to clipboard!');
+        }}
+    </script>
+</head>
+<body>
+    <div class="container">
+        <h1>✅ API Key Generated!</h1>
+
+        <div class="success">
+            <strong>Your API key has been created successfully</strong>
+        </div>
+
+        <p><strong>Email:</strong> {result["email"]}</p>
+        <p><strong>Name:</strong> {result["name"]}</p>
+        <p><strong>User ID:</strong> {result["user_id"]}</p>
+
+        <div class="warning">
+            <strong>⚠️ SAVE THIS KEY NOW - IT WON'T BE SHOWN AGAIN!</strong>
+        </div>
+
+        <h2>🔑 Your API Key:</h2>
+        <code>{result["api_key"]}</code>
+        <button onclick="copyKey()">📋 Copy Key</button>
+
+        <h2>📋 Claude Desktop Setup:</h2>
+        <p>Add this to your <code>claude_desktop_config.json</code>:</p>
+        <pre>{{
+  "mcpServers": {{
+    "fleetmind": {{
+      "command": "npx",
+      "args": [
+        "mcp-remote",
+        "https://mcp-1st-birthday-fleetmind-dispatch-ai.hf.space/sse"
+      ],
+      "env": {{
+        "FLEETMIND_API_KEY": "{result["api_key"]}"
+      }}
+    }}
+  }}
+}}</pre>
+
+        <h2>🚀 Next Steps:</h2>
+        <ol>
+            <li>Copy your API key (click the button above)</li>
+            <li>Add it to your Claude Desktop config</li>
+            <li>Restart Claude Desktop</li>
+            <li>Start using FleetMind tools!</li>
+        </ol>
+
+        <p style="text-align: center; margin-top: 30px;">
+            <a href="/" style="color: #60a5fa; text-decoration: none;">← Back to Home</a>
+        </p>
+    </div>
+</body>
+</html>
+                    """)
+
+                except Exception as e:
+                    return HTMLResponse(f"<h1>Error: {str(e)}</h1>", status_code=500)
+
         logger.info("[OK] Landing page added at / route")
+        logger.info("[OK] API key generation page added at /generate-key")
         logger.info("[OK] MCP SSE endpoint available at /sse")
 
         # Run MCP server with SSE transport (includes both /sse and custom routes)

database/api_keys.py

@@ -0,0 +1,261 @@
+"""
+API Key Authentication System for FleetMind MCP Server
+
+Simple API key management for multi-tenant authentication without OAuth complexity.
+Works with Claude Desktop and mcp-remote today!
+
+Usage:
+    1. User generates API key via web interface or CLI
+    2. User adds API key to Claude Desktop config
+    3. MCP server validates key and returns user_id
+    4. Multi-tenant isolation works automatically
+"""
+
+import os
+import secrets
+import hashlib
+from datetime import datetime
+from typing import Optional, Dict
+from database.connection import get_db_connection
+
+def create_api_keys_table():
+    """Create api_keys table if it doesn't exist"""
+    conn = get_db_connection()
+    cursor = conn.cursor()
+
+    cursor.execute("""
+        CREATE TABLE IF NOT EXISTS api_keys (
+            key_id SERIAL PRIMARY KEY,
+            user_id VARCHAR(100) NOT NULL,
+            email VARCHAR(255) NOT NULL,
+            name VARCHAR(255),
+            api_key_hash VARCHAR(64) NOT NULL UNIQUE,
+            api_key_prefix VARCHAR(20) NOT NULL,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            last_used_at TIMESTAMP,
+            is_active BOOLEAN DEFAULT true,
+            UNIQUE(user_id)
+        )
+    """)
+
+    cursor.execute("""
+        CREATE INDEX IF NOT EXISTS idx_api_keys_hash
+        ON api_keys(api_key_hash)
+    """)
+
+    cursor.execute("""
+        CREATE INDEX IF NOT EXISTS idx_api_keys_user
+        ON api_keys(user_id)
+    """)
+
+    conn.commit()
+    cursor.close()
+    conn.close()
+
+def generate_api_key(email: str, name: str = None) -> Dict[str, str]:
+    """
+    Generate a new API key for a user
+
+    Args:
+        email: User's email address (used as identifier)
+        name: User's display name (optional)
+
+    Returns:
+        dict with api_key (show once!), user_id, email, name
+    """
+    # Generate secure random API key
+    api_key = f"fm_{secrets.token_urlsafe(32)}"  # fm_ prefix for FleetMind
+
+    # Hash the API key for storage (never store plain text!)
+    api_key_hash = hashlib.sha256(api_key.encode()).hexdigest()
+
+    # Store prefix for display (first 12 chars)
+    api_key_prefix = api_key[:12]
+
+    # Generate user_id from email
+    user_id = f"user_{hashlib.md5(email.encode()).hexdigest()[:12]}"
+
+    conn = get_db_connection()
+    cursor = conn.cursor()
+
+    try:
+        # Check if user already has a key
+        cursor.execute("SELECT user_id FROM api_keys WHERE email = %s", (email,))
+        existing = cursor.fetchone()
+
+        if existing:
+            cursor.close()
+            conn.close()
+            return {
+                "success": False,
+                "error": "User already has an API key. Revoke the old key first."
+            }
+
+        # Insert new API key
+        cursor.execute("""
+            INSERT INTO api_keys (user_id, email, name, api_key_hash, api_key_prefix)
+            VALUES (%s, %s, %s, %s, %s)
+            RETURNING user_id, email, name, created_at
+        """, (user_id, email, name, api_key_hash, api_key_prefix))
+
+        result = cursor.fetchone()
+        conn.commit()
+
+        if not result:
+            raise Exception("Failed to insert API key")
+
+        # Unpack the result tuple
+        ret_user_id, ret_email, ret_name, ret_created_at = result
+
+        return {
+            "success": True,
+            "api_key": api_key,  # SHOW THIS ONCE! Never displayed again
+            "user_id": ret_user_id,
+            "email": ret_email,
+            "name": ret_name or "FleetMind User",
+            "created_at": str(ret_created_at) if ret_created_at else "",
+            "message": "⚠️ IMPORTANT: Save this API key now! It won't be shown again."
+        }
+
+    except Exception as e:
+        conn.rollback()
+        import traceback
+        error_details = traceback.format_exc()
+        print(f"API Key Generation Error: {e}")
+        print(f"Error details: {error_details}")
+        return {
+            "success": False,
+            "error": f"Failed to generate API key: {str(e)}"
+        }
+    finally:
+        cursor.close()
+        conn.close()
+
+def verify_api_key(api_key: str) -> Optional[Dict[str, str]]:
+    """
+    Verify API key and return user info
+
+    Args:
+        api_key: The API key to verify
+
+    Returns:
+        User info dict if valid, None if invalid
+    """
+    if not api_key or not api_key.startswith("fm_"):
+        return None
+
+    # Hash the provided key
+    api_key_hash = hashlib.sha256(api_key.encode()).hexdigest()
+
+    conn = get_db_connection()
+    cursor = conn.cursor()
+
+    try:
+        # Look up the key
+        cursor.execute("""
+            SELECT user_id, email, name, is_active
+            FROM api_keys
+            WHERE api_key_hash = %s
+        """, (api_key_hash,))
+
+        result = cursor.fetchone()
+
+        if not result:
+            return None
+
+        user_id, email, name, is_active = result
+
+        if not is_active:
+            return None
+
+        # Update last_used_at
+        cursor.execute("""
+            UPDATE api_keys
+            SET last_used_at = CURRENT_TIMESTAMP
+            WHERE api_key_hash = %s
+        """, (api_key_hash,))
+        conn.commit()
+
+        return {
+            'user_id': user_id,
+            'email': email,
+            'name': name or 'FleetMind User',
+            'scopes': ['orders:read', 'orders:write', 'drivers:read', 'drivers:write', 'assignments:manage']
+        }
+
+    except Exception as e:
+        print(f"API key verification error: {e}")
+        return None
+    finally:
+        cursor.close()
+        conn.close()
+
+def list_api_keys() -> list:
+    """List all API keys (without showing actual keys)"""
+    conn = get_db_connection()
+    cursor = conn.cursor()
+
+    cursor.execute("""
+        SELECT user_id, email, name, api_key_prefix, created_at, last_used_at, is_active
+        FROM api_keys
+        ORDER BY created_at DESC
+    """)
+
+    keys = []
+    for row in cursor.fetchall():
+        keys.append({
+            'user_id': row[0],
+            'email': row[1],
+            'name': row[2],
+            'key_preview': f"{row[3]}...",
+            'created_at': row[4].isoformat(),
+            'last_used_at': row[5].isoformat() if row[5] else None,
+            'is_active': row[6]
+        })
+
+    cursor.close()
+    conn.close()
+    return keys
+
+def revoke_api_key(email: str) -> Dict[str, any]:
+    """Revoke (deactivate) an API key"""
+    conn = get_db_connection()
+    cursor = conn.cursor()
+
+    try:
+        cursor.execute("""
+            UPDATE api_keys
+            SET is_active = false
+            WHERE email = %s
+            RETURNING user_id, email
+        """, (email,))
+
+        result = cursor.fetchone()
+        conn.commit()
+
+        if result:
+            return {
+                "success": True,
+                "message": f"API key revoked for {result[1]}"
+            }
+        else:
+            return {
+                "success": False,
+                "error": "No API key found for this email"
+            }
+
+    except Exception as e:
+        conn.rollback()
+        return {
+            "success": False,
+            "error": f"Failed to revoke key: {str(e)}"
+        }
+    finally:
+        cursor.close()
+        conn.close()
+
+# Initialize table on import
+try:
+    create_api_keys_table()
+except:
+    pass  # Table might already exist

generate_api_key.py

@@ -0,0 +1,142 @@
+#!/usr/bin/env python3
+"""
+FleetMind API Key Generator
+
+Generate API keys for users to authenticate with FleetMind MCP Server.
+
+Usage:
+    python generate_api_key.py
+    python generate_api_key.py --email user@example.com --name "John Doe"
+    python generate_api_key.py --list
+    python generate_api_key.py --revoke user@example.com
+"""
+
+import argparse
+import sys
+from database.api_keys import generate_api_key, list_api_keys, revoke_api_key
+
+def main():
+    parser = argparse.ArgumentParser(
+        description='FleetMind API Key Management',
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  # Interactive mode (prompts for email and name)
+  python generate_api_key.py
+
+  # Generate key with arguments
+  python generate_api_key.py --email alice@company.com --name "Alice Smith"
+
+  # List all API keys
+  python generate_api_key.py --list
+
+  # Revoke a key
+  python generate_api_key.py --revoke alice@company.com
+        """
+    )
+
+    parser.add_argument('--email', help='User email address')
+    parser.add_argument('--name', help='User display name')
+    parser.add_argument('--list', action='store_true', help='List all API keys')
+    parser.add_argument('--revoke', metavar='EMAIL', help='Revoke API key for email')
+
+    args = parser.parse_args()
+
+    # List API keys
+    if args.list:
+        print("\n" + "="*80)
+        print("FLEETMIND API KEYS")
+        print("="*80 + "\n")
+
+        keys = list_api_keys()
+        if not keys:
+            print("No API keys found.\n")
+            return
+
+        for key in keys:
+            status = "✅ Active" if key['is_active'] else "❌ Revoked"
+            print(f"Email:      {key['email']}")
+            print(f"Name:       {key['name']}")
+            print(f"User ID:    {key['user_id']}")
+            print(f"Key:        {key['key_preview']}")
+            print(f"Created:    {key['created_at']}")
+            print(f"Last Used:  {key['last_used_at'] or 'Never'}")
+            print(f"Status:     {status}")
+            print("-" * 80)
+
+        print()
+        return
+
+    # Revoke API key
+    if args.revoke:
+        print(f"\n⚠️  Revoking API key for {args.revoke}...")
+        result = revoke_api_key(args.revoke)
+
+        if result['success']:
+            print(f"✅ {result['message']}\n")
+        else:
+            print(f"❌ Error: {result['error']}\n")
+            sys.exit(1)
+        return
+
+    # Generate new API key
+    if not args.email:
+        # Interactive mode
+        print("\n" + "="*80)
+        print("GENERATE NEW FLEETMIND API KEY")
+        print("="*80 + "\n")
+
+        email = input("Enter user email: ").strip()
+        if not email:
+            print("❌ Email is required")
+            sys.exit(1)
+
+        name = input("Enter user name (optional): ").strip() or None
+    else:
+        email = args.email
+        name = args.name
+
+    print(f"\nGenerating API key for {email}...")
+    result = generate_api_key(email, name)
+
+    if not result['success']:
+        print(f"\n❌ Error: {result['error']}\n")
+        sys.exit(1)
+
+    # Success! Display the API key
+    print("\n" + "="*80)
+    print("✅ API KEY GENERATED SUCCESSFULLY")
+    print("="*80 + "\n")
+
+    print(f"Email:      {result['email']}")
+    print(f"Name:       {result['name']}")
+    print(f"User ID:    {result['user_id']}")
+    print(f"Created:    {result['created_at']}")
+    print()
+    print("🔑 API KEY (copy this now - it won't be shown again!):")
+    print("-" * 80)
+    print(result['api_key'])
+    print("-" * 80)
+    print()
+    print("📋 Add this to your Claude Desktop config:")
+    print()
+    print('  {')
+    print('    "mcpServers": {')
+    print('      "fleetmind": {')
+    print('        "command": "npx",')
+    print('        "args": [')
+    print('          "mcp-remote",')
+    print('          "https://mcp-1st-birthday-fleetmind-dispatch-ai.hf.space/sse"')
+    print('        ],')
+    print('        "env": {')
+    print(f'          "FLEETMIND_API_KEY": "{result["api_key"]}"')
+    print('        }')
+    print('      }')
+    print('    }')
+    print('  }')
+    print()
+    print("⚠️  IMPORTANT: Save this API key securely. You won't be able to see it again!")
+    print()
+
+if __name__ == "__main__":
+    main()

requirements.txt

@@ -17,7 +17,6 @@ psycopg2-binary>=2.9.9
 # API Clients
 googlemaps>=4.10.0
 requests>=2.31.0
-stytch>=8.0.0
 
 # Utilities
 python-dotenv>=1.0.0

server.py

@@ -18,15 +18,13 @@ from datetime import datetime
 sys.path.insert(0, str(Path(__file__).parent))
 
 from fastmcp import FastMCP
-from fastmcp.server.auth import RemoteAuthProvider, TokenVerifier, AccessToken
-from pydantic import AnyHttpUrl
 
 # Import existing services (unchanged)
 from chat.geocoding import GeocodingService
 from database.connection import execute_query, execute_write, test_connection
 
-# Import authentication module
-from database.user_context import verify_token, check_permission, get_required_scope
+# Import permission checking
+from database.user_context import check_permission, get_required_scope
 
 # Configure logging
 logging.basicConfig(
@@ -39,65 +37,9 @@ logging.basicConfig(
 )
 logger = logging.getLogger(__name__)
 
-# ============================================================================
-# OAUTH AUTHENTICATION SETUP
-# ============================================================================
-
-class StytchTokenVerifier(TokenVerifier):
-    """Token verifier for Stytch session tokens"""
-
-    def __init__(self):
-        super().__init__(
-            base_url=os.getenv('SERVER_URL', 'http://localhost:7860'),
-            required_scopes=None  # Scope checking handled per-tool
-        )
-
-    async def verify_token(self, token: str) -> AccessToken | None:
-        """Verify Stytch session token and return AccessToken"""
-        try:
-            # Use existing Stytch verification function
-            user_info = verify_token(token)
-
-            if not user_info:
-                logger.debug(f"Token verification failed")
-                return None
-
-            # Convert to FastMCP AccessToken format
-            access_token = AccessToken(
-                token=token,
-                client_id=user_info['user_id'],
-                scopes=user_info.get('scopes', []),
-                resource_owner=user_info.get('email'),
-                claims={
-                    'user_id': user_info['user_id'],
-                    'email': user_info['email'],
-                    'name': user_info.get('name', 'Unknown User'),
-                }
-            )
-
-            logger.info(f"Token verified for user: {user_info['email']} (user_id: {user_info['user_id']})")
-            return access_token
-
-        except Exception as e:
-            logger.error(f"Token verification error: {e}")
-            return None
-
-# Create OAuth authentication provider (but don't apply globally yet)
-auth_provider = RemoteAuthProvider(
-    token_verifier=StytchTokenVerifier(),
-    authorization_servers=[AnyHttpUrl('https://test.stytch.com/v1/public')],
-    base_url=os.getenv('SERVER_URL', 'http://localhost:7860'),
-    resource_name="FleetMind Dispatch Coordinator"
-)
-
-logger.info("OAuth authentication provider configured with Stytch")
-
 # ============================================================================
 # MCP SERVER INITIALIZATION
 # ============================================================================
-
-# NOTE: Not using auth=auth_provider here because it would block SSE connections
-# Instead, we manually verify tokens in each tool using get_authenticated_user()
 mcp = FastMCP(
     name="FleetMind Dispatch Coordinator",
     version="1.0.0"
@@ -116,21 +58,36 @@ except Exception as e:
     logger.error(f"Database: Connection failed - {e}")
 
 # ============================================================================
-# AUTHENTICATION
+# AUTHENTICATION - API KEY SYSTEM
 # ============================================================================
 
-# Note: OAuth metadata endpoint will be added via app.py instead of here
-# FastMCP doesn't expose direct app access for custom routes
-
 def get_authenticated_user():
     """
-    Extract and verify user from authentication token via FastMCP
+    Extract and verify user via API Key authentication
+
+    Supports 2 authentication methods:
+    1. API Key (from FLEETMIND_API_KEY env var) - Production & user auth
+    2. Development Mode (SKIP_AUTH=true) - Local testing only
 
     Returns:
         User info dict with user_id, email, scopes, name or None if not authenticated
     """
     try:
-        # Development bypass mode
+        # METHOD 1: API Key Authentication
+        # Users set this in their Claude Desktop config:
+        # "env": {"FLEETMIND_API_KEY": "fm_xxxxx"}
+        api_key = os.getenv("FLEETMIND_API_KEY")
+        if api_key:
+            from database.api_keys import verify_api_key
+            user_info = verify_api_key(api_key)
+            if user_info:
+                logger.info(f"✅ API Key auth: {user_info['email']} (user_id: {user_info['user_id']})")
+                return user_info
+            else:
+                logger.warning(f"❌ Invalid API key provided")
+                return None
+
+        # METHOD 2: Development bypass mode (local testing only)
         if os.getenv("SKIP_AUTH") == "true":
             logger.debug("SKIP_AUTH enabled - using development user")
             return {
@@ -140,31 +97,10 @@ def get_authenticated_user():
                 'name': 'Development User'
             }
 
-        # Extract token from FastMCP request context
-        from fastmcp.server.dependencies import get_access_token
-
-        access_token = get_access_token()
-
-        if not access_token:
-            logger.debug("No access token found in request context")
-            return None
-
-        # Token already verified by FastMCP auth middleware
-        # Extract user info from AccessToken claims
-        user_info = {
-            'user_id': access_token.claims.get('user_id') or access_token.client_id,
-            'email': access_token.resource_owner or access_token.claims.get('email', 'unknown'),
-            'scopes': access_token.scopes or [],
-            'name': access_token.claims.get('name', 'Unknown User')
-        }
-
-        logger.info(f"Authenticated user: {user_info['email']} (user_id: {user_info['user_id']})")
-        return user_info
-
-    except RuntimeError as e:
-        # No HTTP request context available (likely stdio mode or testing)
-        logger.debug(f"No request context available: {e}")
+        # No authentication provided
+        logger.debug("No API key or SKIP_AUTH - authentication required")
         return None
+
     except Exception as e:
         logger.error(f"Authentication error: {e}")
         return None