Skip to main content

How it works

In API Key mode, MCPCore checks every incoming request for a valid Authorization: Bearer header. Requests that omit the header or provide an unrecognised key receive a 401 Unauthorized response before any tool code runs. MCPCore generates the key for you when you select this mode. The key is shown once at creation — store it securely. It remains valid until you explicitly revoke it; there is no automatic expiry. You can create multiple keys — one per integration, team member, or client — and revoke them individually without affecting the others.

When to use it

  • Internal tooling — you control all the clients and can distribute the key securely
  • CI/CD and automation pipelines — a non-expiring credential that doesn’t require OAuth flows
  • Team tools — issue one key per team or one key per integration and revoke per-client when needed
  • Server-to-server integrations — your backend includes the key on every request

Configure

1

Create or edit a server

Open the server creation form (New Server) or click Edit on an existing server.
2

Select API Key

Under Security Mode, select API Key.MCPCore automatically generates an API key and displays it in the form.
API Key security mode selected with generated key
3

Copy the key

Copy the key immediately — it is shown only once. Store it securely (a password manager, vault, or environment variable in your CI system).
4

Save

Click Save. The server now requires the Authorization: Bearer header for all requests.

Client configuration

Include the key in the Authorization: Bearer header: 
{
  "mcpServers": {
    "my-server": {
      "command": "npx",
      "args": [
        "-y", "mcp-remote@latest",
        "https://your-subdomain.mcpcore.io/mcp",
        "--header", "Authorization: Bearer <your-api-key>"
      ]
    }
  }
}
The Integration tab on your server’s detail page generates these snippets with your actual key pre-filled.

Key management

From the server’s Overview section you can:
  • Generate additional keys (one per integration or environment)
  • Revoke individual keys without affecting others
  • Label keys so you know which integration uses each one
Revoking a key takes effect immediately. Clients using that key will receive 401 until they are reconfigured with a valid key.

Key rotation

To rotate a key without downtime:
  1. Generate a new key from the dashboard
  2. Update your client configurations with the new key
  3. Verify the clients are working
  4. Revoke the old key