API Keys Management
Complete guide to creating, managing, and securing your BlokMCP API keys.
Overview
API keys are how your MCP client (Claude Desktop, Cursor, etc.) authenticates with BlokMCP. Each key is tied to your organization and provides access to your connected Storyblok spaces.
API keys are issued by BlokMCP and follow a specific format for validation.
Example: sb_mcp_xxxxxxxxxxxxxxxxxxxxxxxx
Creating API Keys
From the Dashboard
- Log in to blokmcp.com/dashboard
- Navigate to API Keys in the sidebar
- Click Create API Key
- Fill in the details:
- Key Name: Descriptive name (e.g., "Claude Desktop - Work Laptop")
- Description: (Optional) Additional notes
- Click Create Key
- Important: Copy the API key immediately - you won't be able to see it again!
Naming Conventions
Good API key names help you identify and manage keys:
Recommended naming:
Claude Desktop - MacBook ProCursor IDE - Main WorkstationTeam - Marketing BotDevelopment - Local Testing
What to include:
- Client type (Claude Desktop, Cursor, etc.)
- Device or location
- Purpose or team
Using API Keys
In Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"storyblok": {
"url": "https://mcp.blokmcp.com",
"headers": {
"X-Api-Key": "sb_mcp_your_api_key_here"
}
}
}
}
See Claude Desktop Configuration for details.
In Cursor IDE
Add to your Cursor settings.json:
{
"mcp": {
"servers": {
"storyblok": {
"url": "https://mcp.blokmcp.com",
"headers": {
"X-Api-Key": "sb_mcp_your_api_key_here"
}
}
}
}
}
See Cursor IDE Configuration for details.
Managing Multiple API Keys
When to Create Multiple Keys
Create separate API keys for:
- Different devices - One for laptop, one for desktop
- Different clients - Claude Desktop vs Cursor IDE
- Team members - Each person gets their own key
- Different environments - Development vs production
- Different projects - Separate keys per project
Benefits of Multiple Keys
- Track usage per device/person/project
- Selective revocation - Revoke without affecting other keys
- Security - Limit exposure if one key is compromised
- Audit trail - See which key was used for each operation
API Key Permissions
API keys inherit permissions from:
- Organization subscription - Tier determines rate limits
- Storyblok tokens - Management token permissions apply
- Space access - Only connected spaces are accessible
What API keys can do:
- Access all connected Storyblok spaces in your organization
- Perform operations permitted by your Storyblok management tokens
- Make requests up to your subscription tier's rate limits
What API keys cannot do:
- Access spaces not connected to your organization
- Exceed management token permissions
- Bypass rate limits
- Access other organizations' data
Revoking API Keys
When to Revoke
Revoke API keys when:
- Device is lost or stolen
- Team member leaves
- Key is accidentally exposed (e.g., committed to git)
- No longer needed
- Rotating keys for security
How to Revoke
- Log in to blokmcp.com/dashboard
- Navigate to API Keys
- Find the key to revoke
- Click the Delete or Revoke button
- Confirm the action
The key is immediately invalidated - any requests using it will fail.
After Revoking
If you revoked a key still in use:
- Create a new API key
- Update your MCP client configuration
- Restart your MCP client
API Key Security
Best Practices
- Never share API keys - Each person should have their own
- Never commit to git - Add config files to
.gitignore - Rotate regularly - Create new keys every 3-6 months
- Use descriptive names - Know what each key is for
- Revoke unused keys - Don't keep keys you're not using
- Store securely - Keep keys in secure configuration files
What NOT to Do
- Don't hardcode keys in code
- Don't share keys via email or chat
- Don't reuse the same key everywhere
- Don't keep keys for deleted devices/accounts
- Don't use production keys in development
If a Key is Compromised
If you think an API key has been exposed:
- Immediately revoke the key in the dashboard
- Create a new key to replace it
- Update your configuration with the new key
- Review usage logs to check for unauthorized access
- Rotate Storyblok tokens if necessary
Usage Tracking
Viewing Key Usage
In the dashboard, you can see:
- Total requests per key
- Recent activity timestamp
- Success/error rates
This helps you:
- Identify unused keys
- Track which device is making requests
- Monitor for unusual activity
Usage Limits
API keys are subject to:
- Rate limits (requests per minute)
- Monthly quotas (total requests per month)
Both depend on your subscription tier. See Subscription Tiers.
Multiple Spaces
Default Space
If you have multiple Storyblok spaces connected:
- One is marked as default
- API key uses default space unless specified
- You can change the default in the dashboard
Specifying a Space
To use a specific space (not the default):
Add X-Storyblok-Space-Id header:
{
"mcpServers": {
"storyblok": {
"url": "https://mcp.blokmcp.com",
"headers": {
"X-Api-Key": "sb_mcp_your_api_key_here",
"X-Storyblok-Space-Id": "123456"
}
}
}
}
Or use the space alias:
{
"headers": {
"X-Api-Key": "sb_mcp_your_api_key_here",
"X-Storyblok-Space-Alias": "production-blog"
}
}
Multiple Configurations
You can create separate MCP server configurations for each space:
{
"mcpServers": {
"storyblok-production": {
"url": "https://mcp.blokmcp.com",
"headers": {
"X-Api-Key": "sb_mcp_production_key",
"X-Storyblok-Space-Id": "123456"
}
},
"storyblok-staging": {
"url": "https://mcp.blokmcp.com",
"headers": {
"X-Api-Key": "sb_mcp_staging_key",
"X-Storyblok-Space-Id": "789012"
}
}
}
}
See Multi-Space Setup for details.
Troubleshooting
"Invalid API Key" Error
Possible causes:
- Key was revoked or deleted
- Typo in the key
- Key format incorrect
Solutions:
- Verify key in dashboard (API Keys page)
- Create new key if old one was revoked
- Copy/paste key to avoid typos
"Authentication Failed" Error
Possible causes:
- API key not provided
- Wrong header name (should be
X-Api-Key) - Key doesn't match organization
Solutions:
- Check configuration syntax
- Verify header name is exactly
X-Api-Key - Ensure key is from the correct organization
"Rate Limit Exceeded" Error
Not an API key issue - this means you've hit your tier's rate limit.
Solutions:
- Wait 60 seconds for limit to reset
- Upgrade to higher tier for more requests
- Spread operations over time
See Rate Limiting Guide.
Keys Not Showing Up
After creating a key:
- Restart your MCP client (Claude Desktop, Cursor, etc.)
- Keys don't auto-reload in running clients
API Key Rotation
Why Rotate Keys?
Regular rotation improves security:
- Limits exposure time if key is compromised
- Follows security best practices
- Ensures unused keys are removed
Recommended Schedule
- Every 3 months for high-security environments
- Every 6 months for regular use
- Immediately if compromised or suspicious
How to Rotate
- Create new API key in dashboard
- Update your MCP client configuration
- Test that new key works
- Revoke old key
- Update documentation/notes
Zero-Downtime Rotation
To avoid interruption:
- Create new key (keep old one active)
- Update configuration to use new key
- Restart MCP client
- Verify new key works
- Then revoke old key
FAQs
Can I recover a deleted API key?
No. Once deleted/revoked, a key cannot be recovered. Create a new one.
How many API keys can I create?
No hard limit, but we recommend:
- Keep it manageable (5-10 keys max)
- Delete unused keys regularly
Can I share a key with my team?
Not recommended. Create individual keys for each team member for better tracking and security.
Do API keys expire?
No automatic expiration. They remain valid until you revoke them.
Can I rename an API key?
Not currently. To "rename," create a new key with the desired name and revoke the old one.
What happens if I delete all my keys?
You won't be able to use BlokMCP until you create a new key. Your data and configurations are safe.
Related Resources
- Multi-Space Setup - Working with multiple Storyblok spaces
- Security Best Practices - Comprehensive security guide
- Troubleshooting - Common issues and solutions
- Claude Desktop Setup - Complete setup guide
- Cursor IDE Setup - Cursor configuration
Need help with API keys? Visit the dashboard or contact support.