API keys

When you create a key in Settings → API keys, we generate a 32-byte random token, hash it with Argon2, and store only the hash. The plaintext is shown to you exactly once, in the create dialog.

Every request from a chat client carries Authorization: Bearer smcp_…. The MCP runtime hashes the incoming token, looks it up, and resolves the workspace. From that point on, the request runs scoped to your workspace's data only.

We strongly recommend creating one key per machine or client, named after where you'll use it (e.g. Claude Desktop on my laptop, Cursor on the office iMac). That way if you lose a laptop or rotate a machine you can revoke just that key without breaking the others.

To rotate a key:

• Create a new key with a similar name (e.g. add a date suffix).
• Update the chat client config to use the new key.
• Restart the client and confirm tools still load.
• Delete the old key.

We recommend rotating every 90 days for any key that lives on a shared machine. Keys on your personal devices can rotate yearly.

Then check Usage for any tool calls in the window between leak and revocation. If you see anything you don't recognize, email security@shop-mcp.app and we'll help you trace what was accessed.

The MCP spec added OAuth 2.1 + PKCE as the recommended client auth in late 2025. We'll ship that in v1.1 — bearer tokens stay supported for at least 12 months after, and existing keys keep working through the migration.