Skip to main content

Authentication

MCP Rank uses API keys for authentication.

API Keys

Include your API key in the X-API-Key header: 
curl https://api.mcprank.com/v1/search \
  -H "X-API-Key: sk_mcp_rank_..." \
  -H "Content-Type: application/json" \
  -d '{"query": "send email"}'

Getting an API Key

  1. Sign up at mcprank.com
  2. Go to Dashboard > API Keys
  3. Click “Create New Key”
  4. Copy and store the key securely
API keys are only shown once when created. Store them securely.

Key Format

API keys follow this format: 
sk_mcp_rank_[32 hex characters]
Example: sk_mcp_rank_a1b2c3d4e5f6789012345678abcdef01

MCP Identity Tokens

For proxy requests, you also need an MCP Identity token (JWT) in the Authorization header: 
curl https://api.mcprank.com/v1/proxy/google/gmail/v1/users/me/profile \
  -H "X-API-Key: sk_mcp_rank_..." \
  -H "Authorization: Bearer eyJ..."

Token Structure

MCP Identity tokens are JWTs with these claims: 
{
  "iss": "https://mcprank.com",
  "sub": "user_123",
  "aud": "mcp-servers",
  "exp": 1704067200,
  "iat": 1704063600,
  "jti": "tok_abc123",
  "api_key_id": "key_def456",
  "connected_services": ["google"]
}

Getting Tokens

Tokens are returned when a user completes the OAuth flow: 
GET /v1/auth/google/initiate?redirect_uri=https://yourapp.com/callback
-> Redirects to Google
-> Returns to: https://yourapp.com/callback?access_token=eyJ...&refresh_token=...

Refreshing Tokens

Access tokens expire after 1 hour. Use the refresh token to get new ones: 
curl -X POST https://api.mcprank.com/v1/auth/token \
  -H "X-API-Key: sk_mcp_rank_..." \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token&refresh_token=..."

Security Best Practices

Keep Keys Secret

Never commit API keys to version control or expose them in client-side code.

Use Environment Variables

Store keys in environment variables, not in code.

Rotate Keys Regularly

Rotate API keys periodically, especially if compromised.

Use Minimal Scopes

Only request the permissions your app needs.