# Ground-to-cloud authentication

> When MCP Servers run locally (using `uipath run`), authentication happens at two separate layers:

When MCP Servers run locally (using `uipath run`), authentication happens at two separate layers:

* **Runtime to cloud**: the local runtime authenticates so that it can register the MCP Server with the cloud.
* **Client to cloud**: external clients authenticate when they call the cloud-facing MCP Server endpoint.

## Layer 1: runtime to cloud (server registration)

The `uipath run` command needs its own token to register the MCP Server with the cloud. This is the developer's authentication, the identity of the person running the server locally.

```shell
# Authenticate the runtime — interactive login
uipath auth

# Or authenticate the runtime — client credentials
uipath auth --client-id "..." \
  --client-secret "..." \
  --base-url "https://cloud.uipath.com/{org}/{tenant}" \
  --scope "OR.Default"

# Start the local server
uipath run mcp-server
```

The runtime uses this token to establish a SignalR connection to the cloud and register the server's tools.

## Layer 2: client to cloud (calling the server)

External clients (such as MCP Inspector, cURL, an IDE, or any HTTP client) authenticate to the cloud through any of the four standard methods described in [MCP Server authentication](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/mcp-server-authentication). The URL is the same as for any other MCP Server:

```
https://cloud.uipath.com/{org}/{tenant}/agenthub_/mcp/{folderKey}/{slug}
```

## How requests flow

The client's Bearer token never reaches the local runtime. The cloud validates the token and forwards only the MCP protocol message through Redis. The local runtime and the MCP Server process do not see the token.

![Requests flow](https://dev-assets.cms.uipath.com/assets/images/orchestrator/Requests_flow-c08c0572.webp)

## Applicable MCP Server types

Ground-to-cloud authentication applies to MCP Server types that have a local runtime:

* **Self-hosted**: always runs locally, always uses ground-to-cloud authentication.
* **Coded** and **Command**: use ground-to-cloud authentication when run locally through `uipath run` during development. Once deployed to Orchestrator, they run as cloud jobs and no local runtime is involved.

## Client credentials with local servers

When using client credentials with `uipath run`, set the `UIPATH_FOLDER_KEY` environment variable. The Python SDK's `GetFoldersForCurrentUser` call does not support client credentials. For details, see [Known limitation: GetFoldersForCurrentUser](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/authenticating-with-an-external-application#known-limitation-getfoldersforcurrentuser).