MCP Security Score
Documentation

API Authentication

The MCP Security Score API uses API keys for authentication. This guide covers creating, using, and managing API keys.

API Key Format

API keys follow this format:

mcp_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • Prefix: mcp_sk_
  • Followed by 32 alphanumeric characters
  • Total length: 39 characters

Creating an API Key

Prerequisites

  • Pro subscription or higher
  • Logged into your MCP Security Score account

Steps

  1. Navigate to Dashboard → Settings
  2. Scroll to the API Keys section
  3. Click Create New Key
  4. Enter a name for your key (e.g., "Production CI/CD")
  5. Click Create
  6. Copy your key immediately - it's only shown once!

Key Limits

  • Maximum 10 active keys per account
  • Keys can be revoked at any time
  • Each key has independent rate limiting

Using Your API Key

Include your API key in the Authorization header as a Bearer token:

curl https://mcpscanner.com/api/v1/scan/scan_xxx \
  -H "Authorization: Bearer mcp_sk_your_api_key_here"

JavaScript/TypeScript

const response = await fetch('https://mcpscanner.com/api/v1/scan', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.MCP_SCANNER_API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ url: 'https://github.com/owner/repo' }),
});

Python

import requests
 
headers = {
    'Authorization': f'Bearer {os.environ["MCP_SCANNER_API_KEY"]}',
    'Content-Type': 'application/json',
}
 
response = requests.post(
    'https://mcpscanner.com/api/v1/scan',
    headers=headers,
    json={'url': 'https://github.com/owner/repo'}
)

Revoking API Keys

To revoke a compromised or unused key:

  1. Go to Dashboard → Settings
  2. Find the key in the API Keys section
  3. Click Revoke
  4. Confirm the revocation

Revoked keys are immediately invalidated and cannot be recovered.

Security Best Practices

1. Never Commit Keys

# .gitignore
.env
.env.local

2. Use Environment Variables

# .env
MCP_SCANNER_API_KEY=mcp_sk_your_key_here
const apiKey = process.env.MCP_SCANNER_API_KEY;

3. Use CI/CD Secrets

GitHub Actions:

env:
  MCP_SCANNER_API_KEY: ${{ secrets.MCP_SCANNER_API_KEY }}

GitLab CI:

variables:
  MCP_SCANNER_API_KEY: $MCP_SCANNER_API_KEY

4. Rotate Keys Regularly

  • Create a new key
  • Update your applications
  • Revoke the old key

5. Use Separate Keys

  • Different keys for development/staging/production
  • Easier to revoke if compromised
  • Better audit trails

Troubleshooting

"Unauthorized" Error

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or missing API key"
  }
}

Causes:

  • Missing Authorization header
  • Invalid key format
  • Key has been revoked
  • Key belongs to different account

Solutions:

  • Check the header format: Authorization: Bearer mcp_sk_...
  • Verify the key in Dashboard → Settings
  • Create a new key if needed

"Forbidden" Error

{
  "error": {
    "code": "FORBIDDEN",
    "message": "API access requires Pro subscription"
  }
}

Solution: Upgrade to Pro tier at Pricing

Next Steps