MCP Authentication

Last updated June 19, 2026

The InitRepo MCP server uses API key authentication. Your agent presents an API key with each request; the server verifies the key, identifies the associated account, and authorizes read-only access to that account's projects. Keys are created on a paid plan but, once issued, keep working with the documents you generated even if your subscription later ends.

Getting your API key

API keys are generated from your InitRepo account page. Each key can read the projects on your account. You can create multiple keys — one per agent or environment — and revoke individual keys without affecting others.

To generate a key: go to Account, find the API Keys section, and click "Create key." Give the key a descriptive name (e.g., "Claude Code — local dev" or "Cursor — project X") so you can identify which agent is using which key in your audit logs.

Configuring your agent

Once you have an API key, add it to your agent's MCP server configuration. The InitRepo MCP server endpoint and your API key are the two values required. The key is passed as a header on each MCP request; the server validates it before returning any resources.

For Claude Code, the configuration goes in your project's .claude/settings.json under mcpServers:

{
  "mcpServers": {
    "initrepo": {
      "command": "npx",
      "args": ["initrepo-mcp"],
      "env": {
        "INITREPO_API_KEY": "your-api-key-here",
        "INITREPO_PROJECT_ID": "your-project-id"
      }
    }
  }
}

The project ID is shown on your project's page in the InitRepo dashboard.

Key scopes and permissions

Keys are read-only today: an agent can list and read your project documents and query the context index, but cannot modify any project data. That makes them safe to hand to any agent that only needs to consume your planning documents.

A Read + Write scope — letting agents write to agent-specific notes fields and update task status — is planned. Until it ships, every key is read-only.

Security considerations

Treat API keys as secrets. Do not commit them to version control; use environment variables or a secrets manager. In .claude/settings.json, reference the key from an environment variable rather than pasting it directly. Rotate keys periodically, and immediately revoke any key you suspect has been exposed.

Your account page shows each key with the date it was created and when it was last used, so you can spot and revoke a key an agent is no longer using.