# local-ydb-toolkit auth

Public promo read endpoints require no authentication.

The hosted promo site does not receive local-ydb credentials, SSH keys, password files, or private config paths. local YDB credentials stay local to the user's MCP client, shell, CI runner, or chosen secret store.

OAuth is not part of v1. There is no browser account flow in v1. Actual operational authorization is controlled by the user's local MCP client configuration and by the local-ydb-toolkit confirm: true execution gates.