User Key Management
Enterprise plan users can manage their own personal API keys for MCP servers, enabling individual authentication while maintaining centralized server management.
Overview
User Key Management allows enterprise users to:- Personal Authentication: Use individual API keys instead of shared organization credentials
- Secure Storage: Keys are encrypted and stored securely
- Granular Access: Different users can have different levels of access
- Account Separation: Personal usage tracking and accountability
Enterprise Feature: User key management is only available on Enterprise plans. Standard plans use organization-wide authentication configured by administrators.
How It Works
Authentication Flow
1
Admin Setup
Organization admins register MCP servers and define required authentication headers
2
User Configuration
Individual users provide their personal API keys through the dashboard
3
Request Authentication
When using MCP tools, the system uses the user’s personal keys for authentication
4
Audit Trail
All requests are tracked with individual user attribution
Key Storage Architecture
Managing Your Keys
Adding Personal Keys
- Navigate to Settings → MCP Gateway
- Find servers that require user authentication (marked with 🔑)
- Click Manage Keys next to the server
- Enter your personal API keys for required headers
- Save securely
Key Status Indicators
Status | Indicator | Description |
---|---|---|
Configured | 🟢 | Key is set and working |
Missing | 🟡 | Key required but not provided |
Invalid | 🔴 | Key exists but authentication failed |
Expired | ⚫ | Key needs to be updated |
Updating Keys
- Regular Updates
- Emergency Rotation
Update your keys periodically for security:
- Click on the key status indicator
- Enter your new API key
- Test the connection
- Save the updated key
Supported Authentication Types
Authorization Headers
Most services use Bearer token authentication:- GitHub: Personal Access Token
- Linear: API Key
- Notion: Integration Token
Custom Headers
Some services require custom authentication headers:Multi-Header Authentication
Complex services may require multiple headers:Security Features
Encryption at Rest
- Algorithm: AES-256 encryption for all stored keys
- Key Management: Automatic key rotation and secure key derivation
- Database Security: Encrypted database fields with no plaintext storage
Access Controls
- User Isolation: Users can only access their own keys
- Organization Boundaries: Complete separation between organizations
- Admin Oversight: Admins can see key status without seeing actual values
Audit Logging
Key Operations
Track when keys are added, updated, or removed
Usage Attribution
Every MCP request is attributed to the specific user
Security Events
Failed authentications and suspicious activity
Compliance Reports
Detailed logs for compliance and security audits
Enterprise vs Standard
Standard Plan: Organization-Wide Keys
1
Admin-Only Management
Only organization administrators can configure authentication
2
Shared Credentials
All users share the same API keys and authentication
3
Simplified Setup
Single point of configuration for the entire organization
Enterprise Plan: Per-User Keys
1
Individual Authentication
Each user provides and manages their own API keys
2
Personal Accountability
All usage is tracked and attributed to individual users
3
Granular Control
Users can have different access levels and permissions
Admin Controls
Key Policy Configuration
Administrators can configure:- Required vs Optional: Which keys users must provide
- Validation Rules: Automatic testing of user-provided keys
- Usage Limits: Per-user limits on MCP requests
- Audit Requirements: Mandatory logging and retention policies
User Management
- Key Status Monitoring
- Access Control
Admins can see which users have configured keys:
- ✅ All required keys configured
- ⚠️ Some keys missing
- ❌ No keys configured
- 🔄 Keys need updating
Best Practices
For Users
Key Security
Key Security
- Use unique, strong API keys for each service
- Never share your personal API keys with others
- Regularly rotate keys (every 90 days recommended)
- Immediately report any suspected key compromise
Access Management
Access Management
- Only request the minimum permissions needed
- Review and audit your key usage regularly
- Remove keys for services you no longer use
- Keep backup access methods when possible
For Administrators
Policy Management
Policy Management
- Define clear key rotation policies
- Set up automated alerts for key expiration
- Require strong authentication for key management
- Implement approval workflows for sensitive services
Compliance
Compliance
- Maintain audit logs for all key operations
- Regular reviews of user key status
- Document key management procedures
- Train users on security best practices
Common Use Cases
Personal GitHub Integration
- Generate Personal Access Token in GitHub settings
- Configure Scopes:
repo
,read:org
,read:user
- Add to Requesty: Use as Authorization header
- Verify Access: Test with repository listing tool
Individual Linear Access
- Create API Key in Linear account settings
- Set Permissions: Access to your teams and projects
- Configure in Requesty: Add as Linear API key
- Test Integration: Create a test issue
Notion Workspace Access
- Create Integration in Notion developer settings
- Grant Permissions: Content read/write, database access
- Get Integration Token from Notion
- Add to Requesty: Configure as Authorization header
Troubleshooting
Key Validation Errors
Invalid Key Format
Invalid Key Format
Symptoms: “Invalid API key format” errorSolutions:
- Check if the key includes any prefixes (Bearer, Token, etc.)
- Verify you’re using the correct key type for the service
- Ensure no extra spaces or characters in the key
Permission Denied
Permission Denied
Symptoms: 403 Forbidden errors when using toolsSolutions:
- Verify the key has required permissions/scopes
- Check if your account has access to the requested resources
- Ensure the key hasn’t been revoked or expired
Key Not Working
Key Not Working
Symptoms: Authentication fails despite correct keySolutions:
- Test the key directly with the service’s API
- Check if the service requires additional headers
- Verify the key is for the correct environment (prod vs dev)
- Contact the service provider for key validation
Need Help?
Contact your organization administrator or [email protected] for assistance with user key management.