Back to blog
Tutorialapikeyauth

MCP servers with API key authentication

Secure your MCP server with an API key. Learn how to configure Cast's API Key Header mode and which UI fields to fill in.

June 2, 2026·5 min read

How API key auth works in Cast

When you select API Key Header in the Configure tab, Cast stores your key encrypted (AES-256-GCM) and injects it as an HTTP header on every upstream request. Your MCP client never sees the key — it just calls the MCP URL, and Cast handles the rest.

1. Start the test server in apikey mode

terminal
cd cast-mcp/test-server
npx ts-node src/index.ts --mode apikey --port 3456

The startup banner prints a generated key like cast_4f9a2b…. Copy it — you'll paste it into Cast. Every request missing this key returns 401 MISSING_API_KEY.

2. Create a workspace and upload the spec

New workspace → Upload tab → upload or paste the URL of http://localhost:3456/openapi.json. Wait for tool generation to complete.

Workspace navigationactual UI
overview
upload
configure
connect
analytics
logs

3. Configure auth — API Key Header

Switch to the Configure tab. In the Auth section, click the API Key Header card. Two fields appear: the header name and the key value. Fill in exactly as shown below.

Workspace navigationactual UI
overview
upload
configure
connect
analytics
logs
Configure → Authactual UI

API Base URL

http://localhost:3456
🔑

Bearer Token

Authorization: Bearer <token>

#

API Key Header

X-Api-Key: <key>

Custom Headers

Any header name + value

🌐

OAuth 2.0

PKCE · DCR support

Header name

X-API-Key
API Key value
cast_4f9a2b…
Save auth configuration
🔒

After you save, Cast encrypts the key with AES-256-GCM. The raw value is never logged or returned by the API. To rotate the key: re-open Configure, paste the new value, save. No downtime, no client changes required.

Once saved, the key field shows a green "saved" indicator instead of the raw value — that's what it looks like after a successful save:

Configure → Authactual UI

API Base URL

http://localhost:3456
🔑

Bearer Token

Authorization: Bearer <token>

#

API Key Header

X-Api-Key: <key>

Custom Headers

Any header name + value

🌐

OAuth 2.0

PKCE · DCR support

Header name

X-API-Key
API Key value
API key saved — enter a new value to update
Save auth configuration

4. Enable tools and save

Scroll down to the tool list. Toggle on the tools you want agents to call. Leave destructive operations disabled until you're ready for them.

Configure → Toolsactual UI
GET

listItems

/api/items

POST

createItem

/api/items

GET

getItem

/api/items/{id}

GET

listUsers

/api/users

DELETE

deleteItem

/api/items/{id}

Save changes

5. Get your MCP URL

Switch to the Connect tab. Cast shows a ready-to-paste snippet for each supported client. Your MCP client never needs the API key — Cast injects it server-side.

Workspace navigationactual UI
overview
upload
configure
connect
analytics
logs
Connect → Your MCP URLactual UI
Claude Desktop
Cursor
Windsurf
Cline
claude_desktop_config.json Copy
{
  "mcpServers": {
    "test-apikey": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://mcp.getcast.io/test-apikey-cmpqu3ric001i"
      ]
    }
  }
}
Server active · 0 errors

Production checklist

  • Scope the key to minimum permissions
  • IP-allowlist your API to only accept Cast's egress IPs
  • Disable any tools you don't want agents calling
  • Check the Logs tab after the first call to verify requests are flowing

Keep reading

From zero to MCP server: no auth required

The fastest path to a working MCP server. Start with an unauthenticated API and have a live endpoint in under two minutes.