Create a per-account MCP API key. Use it instead of sharing your Cognito JWT with external tools. You can rotate or revoke the key anytime.
Log in, then generate a key. The full secret is shown only once—copy it before leaving this page. Rotating replaces the old key immediately.
Status: No key yet—generate one to use MCP.
The server no longer uses a global MCP_API_KEY. Ensure Cognito and database are configured:
COGNITO_USER_POOL_ID=...
COGNITO_CLIENT_ID=...
DATABASE_URL=...
CLOUDFLARE_R2_ACCOUNT_ID=...
CLOUDFLARE_R2_ACCESS_KEY_ID=...
CLOUDFLARE_R2_SECRET_ACCESS_KEY=...
CLOUDFLARE_R2_BUCKET_NAME=...
OPENAI_API_KEY=...
GEMINI_API_KEY=...MCP JSON-RPC URL: https://your-domain.com/api/mcp?api_key=<YOUR_MCP_API_KEY>
SSE URL: https://your-domain.com/api/mcp/sse?sessionId=<SESSION_ID>&api_key=<YOUR_MCP_API_KEY>
Query param: api_key (preferred) or legacy mcp_api_key
Header: x-api-key: <key> or legacy x-mcp-api-key
Optional: you can still authenticate with a Cognito JWT using Authorization: Bearer <jwt> or access_token in the query string instead of an MCP API key.
curl -X POST "https://your-domain.com/api/mcp?api_key=<YOUR_MCP_API_KEY>" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc":"2.0",
"id":1,
"method":"tools/list",
"params":{}
}'URL: https://your-domain.com/api/mcp?api_key=<YOUR_MCP_API_KEY>
SSE URL: https://your-domain.com/api/mcp/sse?sessionId=<SESSION_ID>&api_key=<YOUR_MCP_API_KEY>Per-user keys require the user_mcp_keys table. From any machine with DATABASE_URL set:
npm run db:migrateOr run drizzle/0003_user_mcp_keys.sql manually in your SQL console. Verify with npm run db:check.