Skip to main content
The MCP server authenticates with your Konstantly tenant using a single bearer token — an MCP API key — passed in the X-MCP-Key HTTP header on every request.

Key anatomy

Every MCP key looks like this:
  • Prefix: kmcp_ — identifies the token type. Always present.
  • Body: 43 URL-safe base64 characters (256 bits of randomness). Generated by crypto.randomBytes(32) server-side.
  • Total length: 48 characters.
The full key is shown once at creation time. Konstantly stores only the SHA-256 hash; the plaintext is unrecoverable after the dialog closes.

Key lifecycle

Keys do not expire automatically. Add a calendar reminder to rotate periodically. Optional key expiry is on the roadmap.

Who the key authenticates as

Each MCP key is owned by a specific user — the admin who created it. Every tool call executes with that user’s permissions, exactly as if they had logged into the web UI and clicked the same button. Example: a learner-issued key cannot read admin-only audit logs, cannot assign training to others, cannot ban users — because the owning learner can’t do those things in the UI either. This is the same authorization model as everywhere else in Konstantly. There is no parallel “MCP permission system” to learn or get wrong. See the Permissions matrix for which role each tool requires.

Scopes

When generating a key, you choose its scopes: The MCP server consults the capabilities endpoint on startup to learn which scopes your key has, then registers only the tools the agent can actually call. Tools the agent can’t invoke aren’t shown to the LLM — the model never picks a tool that’s guaranteed to 403.

License tier interaction

Your tenant’s license tier sets an upper bound on what any MCP key can do, regardless of how the key was issued: If your tenant’s mcpAccess is changed mid-life-of-a-key (e.g. clamped to "read" or "none"), write tools fail silently for that key — no re-issue required. The clamp is applied on every request.

Capabilities endpoint

When the MCP server starts up, it calls:
Response:
The tools array reflects what the calling key can actually invoke after permission + scope + license filtering. The MCP server uses this to register tools with the LLM. Failed authentication on missing/invalid/revoked-key returns 401 Unauthorized with no body — no information leaks. The 403 MCP_LICENSE_DISABLED case is distinct: it’s only reachable with a valid key, so it deliberately tells the caller MCP isn’t enabled for the workspace instead of falling through to an opaque 401.

Error semantics

429 responses include a Retry-After value in the error message body. The MCP server automatically retries 429s with exponential backoff up to 3 times.

Programmatic verification

To verify a key works without going through an AI tool:
Expected: 200 OK with the JSON body shown above. Common failure modes:

Multiple keys per user

A single Konstantly user can have multiple MCP keys — one per device, per agent, per environment (e.g., one for your laptop’s Claude Desktop, one for your team’s Slack bot). Each has its own last_used_at and its own revoke control. There’s no built-in limit on key count per user. Revoke unused keys regularly to keep the list manageable.

Next steps

Tools Reference

All 25 tools, parameters, examples

Permissions matrix

Which role can invoke which tool

Security

Rate limits, audit log, best practices

Quickstart

Generate a key and try it