AppsAI

Authentication

Learn how API keys work and best practices for keeping them secure.

How API Keys Work

The AppsAI MCP server uses API keys for authentication. Each API key is:

  • Scoped to your account — All operations use your permissions and credit balance
  • Hashed before storage — We never store your raw API key
  • Shown only once — Copy it immediately when created
  • Revocable — You can disable a key at any time

API Key Format

AppsAI API keys follow this format:

appsai_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6

The appsai_ prefix helps you identify AppsAI keys in your environment variables.

Creating API Keys

  1. 1Go to Settings → API Keys
  2. 2Click Create API Key
  3. 3Enter a descriptive name (e.g., "Production", "Development", "Claude Code")
  4. 4Copy the key immediately — it's only shown once

Important

The full API key is only displayed once when created. If you lose it, you'll need to create a new key.

Using API Keys

Pass your API key to the MCP server via the APPSAI_API_KEY environment variable:

claude mcp add appsai --env APPSAI_API_KEY=appsai_xxxxx -- npx @appsai/mcp-server

Or set it in your shell environment:

export APPSAI_API_KEY="appsai_xxxxx"

Revoking API Keys

If a key is compromised or no longer needed, revoke it immediately:

  1. 1. Go to Settings → API Keys
  2. 2. Find the key you want to revoke
  3. 3. Click the trash icon and confirm

Revoked keys are immediately invalidated. Any MCP connections using that key will receive authentication errors.

Security Best Practices

Use separate keys for different environments

Create separate keys for development, staging, and production so you can revoke them independently.

Store keys in environment variables

Never hardcode API keys in your code. Use environment variables or secrets managers.

Rotate keys periodically

Create new keys and revoke old ones regularly, especially if team members leave.

Don't commit keys to version control

Add your .env files to .gitignore and never commit API keys to repositories.

Error Codes

The MCP server returns specific errors for authentication issues:

401Invalid API key

The API key is missing, malformed, or has been revoked.

Solution: Check that your APPSAI_API_KEY environment variable is set correctly.

402Insufficient credits

Your account doesn't have enough credits for the operation.

Solution: Add credits at Settings → Billing → Add Funds.

403Permission denied

The API key doesn't have permission for this operation.

Solution: Check that you own or have access to the project.