Blog

Security guides for the Model Context Protocol ecosystem

How to Add API Key Auth to Your MCP Server (The Right Way)

Most MCP servers that accept API keys do it wrong - they put them in tool parameters where they end up in LLM logs and the context window. Here's how to use HTTP headers instead, with code examples for the TypeScript MCP SDK.

MCP Security · Incorrect auth exposes API keys in LLM logs and context windows