> ## Documentation Index
> Fetch the complete documentation index at: https://developer.surefeedback.com/llms.txt
> Use this file to discover all available pages before exploring further.

# MCP Authentication

> How MCP keys work and how to manage them.

## MCP keys vs API keys

SureFeedback has two types of keys:

|             | **API Keys**        | **MCP Keys**                |
| ----------- | ------------------- | --------------------------- |
| Purpose     | REST API access     | AI assistant access via MCP |
| Auth header | `X-API-Key`         | `X-API-Key`                 |
| Scope       | Organisation        | Active project              |
| Created at  | Settings → API Keys | Integrations → AI / MCP     |

MCP keys are regular API keys with `token_type: mcp`. They are **project-scoped** — all tools and resources automatically operate within your active project.

## Creating a key

Go to **Integrations → AI / MCP → Manage MCP Keys → Create MCP Key**.

Select one or more permissions:

| Permission | What it allows in MCP                                                                                                                                               |
| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Read**   | `search-comments`, `get-comment`, `search-sites`, `search-mockups`, `get-mockup-comments`, `list-members`, `summarize-feedback`, `get-pending-tasks`, all resources |
| **Write**  | `update-comment-status`, `assign-comment`                                                                                                                           |
| **Delete** | Future destructive operations                                                                                                                                       |

<Tip>
  For a read-only AI assistant, grant only **Read**. For an assistant that can update statuses and assign comments, add **Write**.
</Tip>

## Passing the key

Pass your MCP key in the `X-API-Key` header on every request:

```bash theme={null}
POST https://api.surefeedback.com/mcp
X-API-Key: sf_your_key_here
Content-Type: application/json
```

`Authorization: Bearer sf_your_key_here` also works.

## Key lifecycle

* **Revoke** — disables the key immediately without deleting it
* **Regenerate** — issues a new secret; the old key stops working immediately
* **Delete** — permanently removes the key
* **Expiry** — optionally set an expiry date when creating a key

## Security

* Never commit MCP keys to source control
* Use the minimum permissions needed
* Regenerate keys if you suspect compromise
* Set expiry dates for temporary integrations
