MCP keys vs API keys
SureFeedback has two types of keys:
| API Keys | MCP Keys |
|---|
| Purpose | REST API access | AI assistant access via MCP |
| Auth header | X-API-Key | X-API-Key |
| Scope | Organisation | Active project |
| Created at | Settings → API Keys | Integrations → AI / MCP |
token_type: mcp. They are project-scoped — all tools and resources automatically operate within your active project.
Creating a key
Go to Integrations → AI / MCP → Manage MCP Keys → Create MCP Key.
Select one or more permissions:
| Permission | What it allows in MCP |
|---|
| Read | search-comments, get-comment, search-sites, search-mockups, get-mockup-comments, list-members, summarize-feedback, get-pending-tasks, all resources |
| Write | update-comment-status, assign-comment |
| Delete | Future destructive operations |
For a read-only AI assistant, grant only Read. For an assistant that can update statuses and assign comments, add Write.
Passing the key
Pass your MCP key in the X-API-Key header on every request:
POST https://api.surefeedback.com/mcp
X-API-Key: sf_your_key_here
Content-Type: application/json
Authorization: Bearer sf_your_key_here also works.
Key lifecycle
- Revoke — disables the key immediately without deleting it
- Regenerate — issues a new secret; the old key stops working immediately
- Delete — permanently removes the key
- Expiry — optionally set an expiry date when creating a key
Security
- Never commit MCP keys to source control
- Use the minimum permissions needed
- Regenerate keys if you suspect compromise
- Set expiry dates for temporary integrations
