Skip to main content

User Key Management

Enterprise plan users can manage their own personal API keys for MCP servers, enabling individual authentication while maintaining centralized server management.

Overview

User Key Management allows enterprise users to:
  • Personal Authentication: Use individual API keys instead of shared organization credentials
  • Secure Storage: Keys are encrypted and stored securely
  • Granular Access: Different users can have different levels of access
  • Account Separation: Personal usage tracking and accountability
Enterprise Feature: User key management is only available on Enterprise plans. Standard plans use organization-wide authentication configured by administrators.

How It Works

Authentication Flow

1

Admin Setup

Organization admins register MCP servers and define required authentication headers
2

User Configuration

Individual users provide their personal API keys through the dashboard
3

Request Authentication

When using MCP tools, the system uses the user’s personal keys for authentication
4

Audit Trail

All requests are tracked with individual user attribution

Key Storage Architecture

Managing Your Keys

Adding Personal Keys

  1. Navigate to Settings → MCP Gateway
  2. Find servers that require user authentication (marked with 🔑)
  3. Click Manage Keys next to the server
  4. Enter your personal API keys for required headers
  5. Save securely

Key Status Indicators

StatusIndicatorDescription
Configured🟢Key is set and working
Missing🟡Key required but not provided
Invalid🔴Key exists but authentication failed
ExpiredKey needs to be updated

Updating Keys

  • Regular Updates
  • Emergency Rotation
Update your keys periodically for security:
  • Click on the key status indicator
  • Enter your new API key
  • Test the connection
  • Save the updated key

Supported Authentication Types

Authorization Headers

Most services use Bearer token authentication:
{
  "Authorization": "Bearer your-personal-token"
}
Examples:
  • GitHub: Personal Access Token
  • Linear: API Key
  • Notion: Integration Token

Custom Headers

Some services require custom authentication headers:
{
  "X-API-Key": "your-api-key",
  "X-Auth-Token": "your-auth-token"
}

Multi-Header Authentication

Complex services may require multiple headers:
{
  "Authorization": "Bearer token",
  "X-Client-ID": "client-id",
  "X-User-ID": "user-id"
}

Security Features

Encryption at Rest

  • Algorithm: AES-256 encryption for all stored keys
  • Key Management: Automatic key rotation and secure key derivation
  • Database Security: Encrypted database fields with no plaintext storage

Access Controls

  • User Isolation: Users can only access their own keys
  • Organization Boundaries: Complete separation between organizations
  • Admin Oversight: Admins can see key status without seeing actual values

Audit Logging

Key Operations

Track when keys are added, updated, or removed

Usage Attribution

Every MCP request is attributed to the specific user

Security Events

Failed authentications and suspicious activity

Compliance Reports

Detailed logs for compliance and security audits

Enterprise vs Standard

Standard Plan: Organization-Wide Keys

1

Admin-Only Management

Only organization administrators can configure authentication
2

Shared Credentials

All users share the same API keys and authentication
3

Simplified Setup

Single point of configuration for the entire organization
Best for: Internal tools, shared services, simplified management

Enterprise Plan: Per-User Keys

1

Individual Authentication

Each user provides and manages their own API keys
2

Personal Accountability

All usage is tracked and attributed to individual users
3

Granular Control

Users can have different access levels and permissions
Best for: External services, compliance requirements, large teams

Admin Controls

Key Policy Configuration

Administrators can configure:
  • Required vs Optional: Which keys users must provide
  • Validation Rules: Automatic testing of user-provided keys
  • Usage Limits: Per-user limits on MCP requests
  • Audit Requirements: Mandatory logging and retention policies

User Management

  • Key Status Monitoring
  • Access Control
Admins can see which users have configured keys:
  • ✅ All required keys configured
  • ⚠️ Some keys missing
  • ❌ No keys configured
  • 🔄 Keys need updating

Best Practices

For Users

  • Use unique, strong API keys for each service
  • Never share your personal API keys with others
  • Regularly rotate keys (every 90 days recommended)
  • Immediately report any suspected key compromise
  • Only request the minimum permissions needed
  • Review and audit your key usage regularly
  • Remove keys for services you no longer use
  • Keep backup access methods when possible

For Administrators

  • Define clear key rotation policies
  • Set up automated alerts for key expiration
  • Require strong authentication for key management
  • Implement approval workflows for sensitive services
  • Maintain audit logs for all key operations
  • Regular reviews of user key status
  • Document key management procedures
  • Train users on security best practices

Common Use Cases

Personal GitHub Integration

  1. Generate Personal Access Token in GitHub settings
  2. Configure Scopes: repo, read:org, read:user
  3. Add to Requesty: Use as Authorization header
  4. Verify Access: Test with repository listing tool

Individual Linear Access

  1. Create API Key in Linear account settings
  2. Set Permissions: Access to your teams and projects
  3. Configure in Requesty: Add as Linear API key
  4. Test Integration: Create a test issue

Notion Workspace Access

  1. Create Integration in Notion developer settings
  2. Grant Permissions: Content read/write, database access
  3. Get Integration Token from Notion
  4. Add to Requesty: Configure as Authorization header

Troubleshooting

Key Validation Errors

Symptoms: “Invalid API key format” errorSolutions:
  • Check if the key includes any prefixes (Bearer, Token, etc.)
  • Verify you’re using the correct key type for the service
  • Ensure no extra spaces or characters in the key
Symptoms: 403 Forbidden errors when using toolsSolutions:
  • Verify the key has required permissions/scopes
  • Check if your account has access to the requested resources
  • Ensure the key hasn’t been revoked or expired
Symptoms: Authentication fails despite correct keySolutions:
  • Test the key directly with the service’s API
  • Check if the service requires additional headers
  • Verify the key is for the correct environment (prod vs dev)
  • Contact the service provider for key validation

Need Help?

Contact your organization administrator or [email protected] for assistance with user key management.