Skip to main content

The four security modes

ModeHow the client authenticatesBest for
PublicNo credentials neededOpen demos, read-only public data
UnlistedSecret key embedded in the URLQuick internal sharing without credential management
API KeyAuthorization: Bearer <key> headerInternal tools and integrations where you control the clients
OAuthOAuth 2.0 authorization flowUser-facing apps with per-user identity
Security is configured per-server, not per-account. You can run a public demo server and a production API-Key-locked server at the same time.

Choosing the right mode

Public

No authentication required. Anyone with the endpoint URL can call your tools. Use for open demos or tools that only read publicly available data. Configure Public mode →

Unlisted

The server URL itself contains an embedded 48-character secret key generated by MCPCore: 
https://your-subdomain.mcpcore.io/mcp/{secretKey}
Only clients that have the full URL (including the key) can reach the server. There is no auth header to configure — just share the complete URL with trusted parties. The secret key is system-generated and not displayed after creation; it is embedded directly in the connection URL. Use for internal tools or quick sharing where you want a URL that’s not publicly guessable, without the overhead of managing API keys. Configure Unlisted mode →

API Key

Clients include a long-lived token in the Authorization header: 
Authorization: Bearer <your-api-key>
The key is generated by MCPCore and displayed once at creation. It remains valid until you explicitly revoke it. You can create multiple keys — one per integration or team member — and revoke them individually. Use for internal tools and server-to-server integrations where you control the clients. Configure API Key mode →

OAuth

Clients authenticate through a standard OAuth 2.0 authorization flow. You supply your app’s OAuth metadata URL; MCPCore handles token acquisition, storage, and refresh automatically. Use for user-facing applications where tools act on behalf of individual users. Configure OAuth mode →

Changing the security mode

Switch modes at any time from the server’s Edit form. The subdomain URL stays the same.
Mode changes take effect immediately. Connected clients that no longer provide valid credentials will receive 401 Unauthorized.

Security does not affect tool code

Your tool code always receives the same params and env objects regardless of the security mode. Authentication is handled entirely at the server layer before your code runs.