API Keys

Learn how to create and manage API keys for secure access to your MCP servers.

What Are API Keys?

API Keys are secure tokens that authenticate requests to your MCP servers. They allow programmatic access without requiring JWT authentication, making them ideal for:

• Integrating with external applications
• Connecting AI agents and assistants
• Automating workflows
• Testing server endpoints

Key Format

All Reeva API keys follow this format:

mcpk_<random_secure_string>

The mcpk_ prefix identifies it as a Reeva MCP key. The remaining characters are cryptographically secure random data.

How API Keys Work

Create Key → Link to Server(s) → Use in API Calls → Access Granted

Security Model

• Keys are hashed before storage (the raw key is never stored)
• Raw keys are shown only once at creation time
• Keys must be linked to a server to grant access
• Keys can be deactivated without deletion

Key Properties

Each API key has the following properties:

Property	Description
Name	Human-readable identifier you choose
Prefix	First 8 characters (e.g., mcpk_ab...) for identification
Status	Active or Inactive
Created	When the key was generated
Last Used	Most recent usage timestamp
Usage Count	Number of times the key has been used
Linked Servers	Which servers this key can access

Creating API Keys

Via Dashboard

1. Navigate to API Keys

   • Log into Reeva Dashboard
   • Click "API Keys" in the sidebar

2. Click "New API Key"

3. Enter Key Name

   Name: Production Agent Key

   Use descriptive names that identify the key's purpose.

4. Link to Servers (Optional)

   • Select one or more servers to link immediately
   • You can also link servers later

5. Click "Create Key"

6. Save Your Key

   A dialog appears with your raw key:

   mcpk_a1b2c3d4e5f6g7h8i9j0...

   Copy this key immediately and store it securely.

7. Acknowledge

   • Click "I've Saved the Key"
   • The raw key will never be shown again

Best Practices for Key Names

✅ Good:

• "Production Claude Agent"
• "Development Testing"
• "CI/CD Pipeline - Staging"
• "Personal Assistant Bot"

❌ Bad:

• "Key 1"
• "Test"
• "asdf"

Managing API Keys

Viewing Keys

The API Keys page displays all your keys as expandable cards:

• Collapsed view: Name, prefix, status
• Expanded view: Full details including linked servers and usage stats

Click on a key card to expand/collapse it.

Linking Servers

A key must be linked to a server to access it.

To link a server:

1. Expand the key card
2. Find the "Link to Server" section
3. Select a server from the dropdown
4. Click "Link"

To unlink a server:

1. Expand the key card
2. Find the server badge under "Linked Servers"
3. Click the × button on the badge

A single key can be linked to multiple servers, allowing one key to access several servers.

Activating/Deactivating Keys

Deactivating a key temporarily disables it without deleting it.

To toggle status:

1. Find the key card
2. Click "Deactivate" (or "Activate")

Status	Behavior
Active	Key works normally
Inactive	All requests are rejected with 401 error

Use deactivation when you suspect a key may be compromised but want to investigate before permanent deletion.

Deleting Keys

To delete a key:

1. Click the trash icon on the key card
2. Confirm deletion in the dialog

Warning: Deletion is permanent and cannot be undone. Any applications using this key will immediately lose access.

Using API Keys

Include your API key in the Authorization header:

Authorization: Bearer mcpk_your_key_here

Keys work with MCP protocol endpoints:

• POST /mcp/{server_id} - MCP protocol calls
• GET /mcp/{server_id}/tools - List available tools

Requirements:

• Key must be active
• Key must be linked to the target server

Security Best Practices

Do

• ✅ Store keys in a password manager or secrets vault
• ✅ Use environment variables in applications
• ✅ Create separate keys for different environments (dev/staging/prod)
• ✅ Use descriptive names to track each key's purpose
• ✅ Rotate keys every 90 days
• ✅ Revoke unused keys immediately
• ✅ Link keys only to servers they need (least privilege)

Don't

• ❌ Commit keys to version control
• ❌ Share keys via email, chat, or documents
• ❌ Use production keys for testing
• ❌ Share one key across multiple applications
• ❌ Keep inactive keys around indefinitely

Rotation Schedule

Timeframe	Action
Every 90 days	Create new key, update applications, delete old key
Immediately	Revoke if compromised or no longer needed
On team changes	Rotate keys when team members leave

Troubleshooting

"Invalid or expired API key"

Cause: Key doesn't exist, is inactive, or isn't linked to the target server.

Solution:

1. Verify the key exists in your dashboard
2. Check that the key is Active
3. Ensure the key is linked to the server you're calling
4. Confirm you're using the full key (including mcpk_ prefix)

"Forgot to copy my key"

Cause: Raw keys are only shown once at creation.

Solution: Create a new key. The old key cannot be retrieved (by design, for security).

"Key works for one server but not another"

Cause: Key isn't linked to all intended servers.

Solution:

1. Go to API Keys page
2. Expand the key card
3. Link the additional server

"Key suddenly stopped working"

Cause: Key may have been deactivated or deleted.

Solution:

1. Check if the key still exists
2. Verify it's set to Active
3. If deleted, create a new key

See Also

• Creating Servers
• Testing Guide