Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.mcpcore.io/llms.txt

Use this file to discover all available pages before exploring further.

The four security modes

ModeHow the client authenticatesBest for
PublicNo credentials neededOpen demos, read-only public data
UnlistedSecret key embedded in the URLQuick internal sharing without credential management
API KeyAuthorization: Bearer <key> headerInternal tools and integrations where you control the clients
OAuthOAuth 2.0 authorization flowUser-facing apps with per-user identity
Security is configured per-server, not per-account. You can run a public demo server and a production API-Key-locked server at the same time.

Choosing the right mode

Public

No authentication required. Anyone with the endpoint URL can call your tools. Use for open demos or tools that only read publicly available data. Configure Public mode →

Unlisted

The server URL itself contains an embedded 48-character secret key generated by MCPCore: 
https://your-subdomain.mcpcore.io/mcp/{secretKey}
Only clients that have the full URL (including the key) can reach the server. There is no auth header to configure — just share the complete URL with trusted parties. The secret key is system-generated and not displayed after creation; it is embedded directly in the connection URL. Use for internal tools or quick sharing where you want a URL that’s not publicly guessable, without the overhead of managing API keys. Configure Unlisted mode →

API Key

Clients include a long-lived token in the Authorization header: 
Authorization: Bearer <your-api-key>
The key is generated by MCPCore as a signed JWT and displayed once at creation. It remains valid until you explicitly revoke it. You can create multiple keys — one per integration or team member — and revoke them individually. Use for internal tools and server-to-server integrations where you control the clients. Configure API Key mode →

OAuth

Clients authenticate through a standard OAuth 2.0 authorization flow. You supply your Authorization Server’s RFC 8414 metadata URL (the .well-known endpoint from Okta, Auth0, Keycloak, or your own server). MCPCore validates the metadata, sets up discovery endpoints for your subdomain, and verifies incoming JWTs using your server’s public keys. MCP clients register themselves and complete the OAuth flow automatically. Use for user-facing applications where tools act on behalf of individual users, or wherever you want to reuse an existing identity provider. Configure OAuth mode →

Changing the security mode

Switch modes at any time from the server’s Edit form. The subdomain URL stays the same.
Mode changes take effect immediately. Connected clients that no longer provide valid credentials will receive 401 Unauthorized.

Security does not affect tool code

Your tool code always receives the same params and env objects regardless of the security mode. Authentication is handled entirely at the server layer before your code runs.