API Keys

Every MCP App in MCPGate is identified by a unique API key. The key is how your AI client authenticates with the MCPGate endpoint and determines which app — and therefore which tools and guardrails — apply to that session.

Key format#

All MCPGate API keys begin with the prefix mgw_ followed by a 32-character random string. The prefix makes them easy to identify and allows secret-scanning tools (GitHub, GitLab, etc.) to automatically detect and alert on accidental commits.

Example: mgw_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Keys are shown only once#

When you create a new app, MCPGate displays the full API key exactly once. After you close or navigate away from that dialog, the key is no longer retrievable from the dashboard. MCPGate stores only a hashed version of the key.

Copy immediately

Treat your API key like a password. Copy it as soon as it appears and store it in a password manager or secrets vault. If you lose it, you must regenerate — there is no “show me my key” option.

How keys are stored#

MCPGate hashes API keys using Argon2id before storing them in the database. The plain-text key never touches disk. When a request arrives, MCPGate hashes the presented key and compares it to the stored hash — the same mechanism used for password authentication.

This means that even if the MCPGate database were compromised, the attacker would not obtain usable API keys.

Using your API key#

MCPGate supports two ways to pass the API key. Both are equivalent — choose whichever your AI client supports.

URL path (recommended)#

Embed the key directly in the MCP endpoint URL. Most AI clients (Claude Desktop, Cursor, etc.) accept a URL with the key already included.

MCP endpoint URL
text
https://api.mcpgate.sh/mcp/mgw_yourkey

Authorization header#

Pass the key as a Bearer token in the HTTP Authorization header. Use this method when calling the MCPGate API directly (e.g. from a custom integration or script).

HTTP header
http
Authorization: Bearer mgw_yourkey

Regenerating a key#

To regenerate a key, open the app, go to Settings, and click Regenerate Key. MCPGate immediately invalidates the old key and generates a new one. Any AI client using the old key will start receiving authentication errors within seconds.

Update the MCP endpoint URL in all clients that use this app before regenerating, or be prepared to update them immediately after.

Regeneration is instant and irreversible

The old key stops working the moment you click Regenerate. There is no grace period. If you expose a key accidentally — in a commit, log file, or screenshot — regenerate immediately.

Per-app isolation#

Each app has exactly one API key. Keys are not shared across apps — a key only grants access to the tools and guardrails configured for its specific app. If you want to give a second AI client access, create a second app and configure it independently.

Key rotation best practices#

  • Store keys in your AI client's native secret store, not in plain-text config files.
  • Rotate keys on a regular schedule (e.g. every 90 days) as a hygiene measure.
  • Create a separate app (and key) for each distinct AI client or workflow.
  • If a key is accidentally committed to a repository, regenerate it before the commit is pushed — or immediately after if already pushed.