API keys are used for programmatic access and for the MCP server (e.g. from Cursor or Claude). They are generated from a user's JWT.
Send it as the Bearer token:
Authorization: Bearer <api-key>
Use the same key for:
POST /graphql — All authenticated queries and mutations
POST /graphql
POST /mcp — MCP initialize, tools/list, tools/call
POST /mcp
POST /ingestion/:id — File upload for an ingestion session
POST /ingestion/:id
Do not commit API keys to source control or expose them in client-side code.
Prefer API keys over JWTs for long-lived or automated access.
Rotate keys if they may have been compromised; generate a new key and stop using the old one.
Last updated 1 hour ago
