SECURITY4 min read
API Key Management
Creating, rotating, and revoking API keys for agents and MCP servers
Types of API Keys
Conexor uses two types of API keys:
pk_live_xxxxxAgent keys - authenticate on-premise agents to the cloud service
mcp_xxxxxMCP Server keys - authenticate AI assistants (Claude, n8n) to MCP endpoints
Creating API Keys
API keys are created from the dashboard:
- Agent keys: Dashboard → Agents → Create Agent
- MCP keys: Dashboard → Servers → Select Server → API Keys → Generate
NOTEAPI keys are only shown once when created. Store them securely immediately.
Using API Keys
Include the API key in the X-API-Key header:
bash
# MCP endpoint with API key
curl -X POST https://app.conexor.io/mcp/acme/sales-api -H "X-API-Key: mcp_your_key_here" -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"tools/list","id":1}'Rotating Keys
Rotate keys periodically for security:
- Generate a new key from the dashboard
- Update your application/agent with the new key
- Verify the new key works
- Revoke the old key
TIPKeep both keys active briefly during rotation to avoid downtime.
Revoking Keys
Revoke keys immediately if compromised:
- Dashboard → Servers → Select Server → API Keys → Revoke
- Revocation is immediate - all requests with that key will be rejected
Security Best Practices
- Never commit API keys to version control
- Use environment variables or secrets managers
- Rotate keys every 90 days
- Use separate keys for development and production
- Revoke keys immediately when team members leave
- Monitor key usage in the audit logs