Skip to main content

MCP Keys API

The MCP Keys API manages the same user-owned MCP keys shown in the dashboard MCP page.

Security and validation

  • Regular user tokens can manage keys owned by the authenticated user, matching the dashboard behavior.
  • MCP callers must have the dedicated quave:manage:mcp-keys scope to list, create, update, toggle, regenerate, reveal, or delete MCP keys.
  • MCP callers can only create or manage target keys with the same or fewer scopes than the calling MCP key. Attempts to add scopes the caller does not have are rejected server-side.
  • quave:read is always added to stored MCP key scopes.
  • Returning or revealing raw key plaintext requires quave:read:secrets for MCP callers and emits a secret-decrypt audit event for reveal.
  • Name, scope, security level, and session-duration validation is shared with the dashboard methods.

List and get MCP keys

curl -H 'Authorization: YOUR_TOKEN' \
  'https://api.quave.cloud/api/public/v1/mcp-keys'
curl -H 'Authorization: YOUR_TOKEN' \
  'https://api.quave.cloud/api/public/v1/mcp-key?keyId=MCP_KEY_ID'

Metadata responses never include raw key plaintext.

Create an MCP key

curl -X POST \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "automation-read",
    "enabledScopes": ["quave:read"],
    "securityLevel": "balanced",
    "sessionDuration": 1800,
    "returnSecret": true
  }' \
  https://api.quave.cloud/api/public/v1/mcp-key

If returnSecret is true and authorized, the response includes rawKey once. Store it immediately.

Update or toggle an MCP key

curl -X PATCH \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "keyId": "MCP_KEY_ID",
    "enabled": true,
    "enabledScopes": ["quave:read", "quave:write:config"],
    "securityLevel": "strict",
    "sessionDuration": 900
  }' \
  https://api.quave.cloud/api/public/v1/mcp-key
curl -X POST \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{ "keyId": "MCP_KEY_ID", "enabled": false }' \
  https://api.quave.cloud/api/public/v1/mcp-key/toggle

Regenerate, reveal, or delete

curl -X POST \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{ "keyId": "MCP_KEY_ID", "name": "automation-read-2", "returnSecret": true }' \
  https://api.quave.cloud/api/public/v1/mcp-key/regenerate
curl -X POST \
  -H 'Authorization: YOUR_TOKEN' \
  'https://api.quave.cloud/api/public/v1/mcp-key/reveal?keyId=MCP_KEY_ID'
curl -X DELETE \
  -H 'Authorization: YOUR_TOKEN' \
  'https://api.quave.cloud/api/public/v1/mcp-key?keyId=MCP_KEY_ID'