Per-User API Keys

Issue revocable mcp_xxx tokens per user. Hashed at rest, scoped to one identity, killed with one click.

Per-User API Keys

Every user in MCP Factory gets their own API token prefixed mcp_xxx. Your MCP server checks the token, and MCP Factory returns the credentials scoped to that user.

How keys work

  • Generated server-side, shown once at creation
  • Hashed at rest (SHA-256)
  • Individually revocable from the dashboard
  • Rotation without downtime — issue the new key, deploy, revoke the old

Why per-user, not per-app

MCP servers usually need to act on behalf of a specific user — sending email from that user’s Gmail, posting to that user’s GHL location, querying that user’s Google Ads account. A single shared API key collapses every user into one identity. Per-user keys keep the audit trail intact.

Dashboard

Non-technical admins manage keys in a plain dashboard: who has access, which integrations they’ve connected, when each key was last used. No CLI required.

Start Free Trial

Ready to get started?

Start your free trial today. No credit card required.

Start Free Trial Book a Demo
Try MCP Factory free — self-host or hosted
Start Free Trial →