API keys

List Operator API key metadata without exposing or creating plaintext credentials through MCP.

The API key resource lets an authenticated agent with the api_keys.manage permission inspect the keys registered to the current account. An API key can call it only when the key creator still has that permission. The response returns metadata and a safe prefix, never the plaintext secret.

Discover API key operations

javascript
async () => Object.keys(spec.paths).filter((path) => path.includes('api-key'))

Understand the boundary

MCP can list existing key metadata when the actor has api_keys.manage, but it cannot create a new API key or recover a key’s plaintext secret. Create keys in Settings → Developer → API keys and copy the plaintext value when Cavuno shows it. Store it in the MCP client’s credential store or a secret manager, never in a prompt or repository.

If an unfamiliar or obsolete key appears, use its metadata to identify the owner and intended client before changing anything in the dashboard. Verify the remaining client still authenticates after a planned rotation.