> ## Documentation Index
> Fetch the complete documentation index at: https://docs.requesty.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# User Key Management

> Enterprise users can manage their personal API keys for MCP servers

# User Key Management

<Info>
  Enterprise plan users can manage their own personal API keys for MCP servers, enabling individual authentication while maintaining centralized server management.

  <Note>
    **[Configure MCP user keys](https://app.requesty.ai/mcp-gateway)** in the Requesty Console.
  </Note>
</Info>

## Overview

User Key Management allows enterprise users to:

* **Personal Authentication**: Use individual API keys instead of shared organization credentials
* **Secure Storage**: Keys are encrypted and stored securely
* **Granular Access**: Different users can have different levels of access
* **Account Separation**: Personal usage tracking and accountability

<Note>
  **Enterprise Feature**: User key management is only available on Enterprise plans. Standard plans use organization-wide authentication configured by administrators.
</Note>

## How It Works

### Authentication Flow

<Steps>
  <Step title="Admin Setup">
    Organization admins register MCP servers and define required authentication headers
  </Step>

  <Step title="User Configuration">
    Individual users provide their personal API keys through the dashboard
  </Step>

  <Step title="Request Authentication">
    When using MCP tools, the system uses the user's personal keys for authentication
  </Step>

  <Step title="Audit Trail">
    All requests are tracked with individual user attribution
  </Step>
</Steps>

### Key Storage Architecture

```mermaid theme={"dark"}
graph TD
    A[User Provides Key] --> B[AES-256 Encryption]
    B --> C[Secure Database Storage]
    C --> D[Runtime Decryption]
    D --> E[MCP Server Request]
    E --> F[Audit Log Entry]
```

## Managing Your Keys

### Adding Personal Keys

1. Navigate to **Settings → MCP Gateway**
2. Find servers that require user authentication (marked with 🔑)
3. Click **Manage Keys** next to the server
4. Enter your personal API keys for required headers
5. Save securely

### Key Status Indicators

| Status     | Indicator | Description                          |
| ---------- | --------- | ------------------------------------ |
| Configured | 🟢        | Key is set and working               |
| Missing    | 🟡        | Key required but not provided        |
| Invalid    | 🔴        | Key exists but authentication failed |
| Expired    | ⚫         | Key needs to be updated              |

### Updating Keys

<Tabs>
  <Tab title="Regular Updates">
    Update your keys periodically for security:

    * Click on the key status indicator
    * Enter your new API key
    * Test the connection
    * Save the updated key
  </Tab>

  <Tab title="Emergency Rotation">
    If your key is compromised:

    1. Immediately revoke the old key in the external service
    2. Generate a new key in the service
    3. Update the key in Requesty
    4. Verify all tools are working with the new key
  </Tab>
</Tabs>

## Supported Authentication Types

### Authorization Headers

Most services use Bearer token authentication:

```json theme={"dark"}
{
  "Authorization": "Bearer your-personal-token"
}
```

**Examples**:

* GitHub: Personal Access Token
* Linear: API Key
* Notion: Integration Token

### Custom Headers

Some services require custom authentication headers:

```json theme={"dark"}
{
  "X-API-Key": "your-api-key",
  "X-Auth-Token": "your-auth-token"
}
```

### Multi-Header Authentication

Complex services may require multiple headers:

```json theme={"dark"}
{
  "Authorization": "Bearer token",
  "X-Client-ID": "client-id",
  "X-User-ID": "user-id"
}
```

## Security Features

### Encryption at Rest

* **Algorithm**: AES-256 encryption for all stored keys
* **Key Management**: Automatic key rotation and secure key derivation
* **Database Security**: Encrypted database fields with no plaintext storage

### Access Controls

* **User Isolation**: Users can only access their own keys
* **Organization Boundaries**: Complete separation between organizations
* **Admin Oversight**: Admins can see key status without seeing actual values

### Audit Logging

<CardGroup cols={2}>
  <Card title="Key Operations" icon="history">
    Track when keys are added, updated, or removed
  </Card>

  <Card title="Usage Attribution" icon="user">
    Every MCP request is attributed to the specific user
  </Card>

  <Card title="Security Events" icon="shield">
    Failed authentications and suspicious activity
  </Card>

  <Card title="Compliance Reports" icon="file-text">
    Detailed logs for compliance and security audits
  </Card>
</CardGroup>

## Enterprise vs Standard

### Standard Plan: Organization-Wide Keys

<Steps>
  <Step title="Admin-Only Management">
    Only organization administrators can configure authentication
  </Step>

  <Step title="Shared Credentials">
    All users share the same API keys and authentication
  </Step>

  <Step title="Simplified Setup">
    Single point of configuration for the entire organization
  </Step>
</Steps>

**Best for**: Internal tools, shared services, simplified management

### Enterprise Plan: Per-User Keys

<Steps>
  <Step title="Individual Authentication">
    Each user provides and manages their own API keys
  </Step>

  <Step title="Personal Accountability">
    All usage is tracked and attributed to individual users
  </Step>

  <Step title="Granular Control">
    Users can have different access levels and permissions
  </Step>
</Steps>

**Best for**: External services, compliance requirements, large teams

## Admin Controls

### Key Policy Configuration

Administrators can configure:

* **Required vs Optional**: Which keys users must provide
* **Validation Rules**: Automatic testing of user-provided keys
* **Usage Limits**: Per-user limits on MCP requests
* **Audit Requirements**: Mandatory logging and retention policies

### User Management

<Tabs>
  <Tab title="Key Status Monitoring">
    Admins can see which users have configured keys:

    * ✅ All required keys configured
    * ⚠️ Some keys missing
    * ❌ No keys configured
    * 🔄 Keys need updating
  </Tab>

  <Tab title="Access Control">
    Control user access to key management:

    * **Allow Self-Service**: Users can manage their own keys
    * **Admin-Only**: Only admins can update user keys
    * **Approval Required**: User key changes require admin approval
  </Tab>
</Tabs>

## Best Practices

### For Users

<AccordionGroup>
  <Accordion title="Key Security">
    * Use unique, strong API keys for each service
    * Never share your personal API keys with others
    * Regularly rotate keys (every 90 days recommended)
    * Immediately report any suspected key compromise
  </Accordion>

  <Accordion title="Access Management">
    * Only request the minimum permissions needed
    * Review and audit your key usage regularly
    * Remove keys for services you no longer use
    * Keep backup access methods when possible
  </Accordion>
</AccordionGroup>

### For Administrators

<AccordionGroup>
  <Accordion title="Policy Management">
    * Define clear key rotation policies
    * Set up automated alerts for key expiration
    * Require strong authentication for key management
    * Implement approval workflows for sensitive services
  </Accordion>

  <Accordion title="Compliance">
    * Maintain audit logs for all key operations
    * Regular reviews of user key status
    * Document key management procedures
    * Train users on security best practices
  </Accordion>
</AccordionGroup>

## Common Use Cases

### Personal GitHub Integration

1. **Generate Personal Access Token** in GitHub settings
2. **Configure Scopes**: `repo`, `read:org`, `read:user`
3. **Add to Requesty**: Use as Authorization header
4. **Verify Access**: Test with repository listing tool

### Individual Linear Access

1. **Create API Key** in Linear account settings
2. **Set Permissions**: Access to your teams and projects
3. **Configure in Requesty**: Add as Linear API key
4. **Test Integration**: Create a test issue

### Notion Workspace Access

1. **Create Integration** in Notion developer settings
2. **Grant Permissions**: Content read/write, database access
3. **Get Integration Token** from Notion
4. **Add to Requesty**: Configure as Authorization header

## Troubleshooting

### Key Validation Errors

<AccordionGroup>
  <Accordion title="Invalid Key Format">
    **Symptoms**: "Invalid API key format" error

    **Solutions**:

    * Check if the key includes any prefixes (Bearer, Token, etc.)
    * Verify you're using the correct key type for the service
    * Ensure no extra spaces or characters in the key
  </Accordion>

  <Accordion title="Permission Denied">
    **Symptoms**: 403 Forbidden errors when using tools

    **Solutions**:

    * Verify the key has required permissions/scopes
    * Check if your account has access to the requested resources
    * Ensure the key hasn't been revoked or expired
  </Accordion>

  <Accordion title="Key Not Working">
    **Symptoms**: Authentication fails despite correct key

    **Solutions**:

    * Test the key directly with the service's API
    * Check if the service requires additional headers
    * Verify the key is for the correct environment (prod vs dev)
    * Contact the service provider for key validation
  </Accordion>
</AccordionGroup>

***

<Card title="Need Help?" icon="question-circle">
  Contact your organization administrator or [support@requesty.ai](mailto:support@requesty.ai) for assistance with user key management.
</Card>
