Skip to main content

Overview

MCP API tokens provide read-only access to your NOFire AI data for IDE integrations (Cursor, Claude Desktop) and developer tools. They let you query production Knowledge, assess deployment risk, and investigate incidents—all without dashboard switching. What MCP tokens can do:
  • Query production entities and services
  • Assess deployment risk for code changes
  • Analyze blast radius and dependencies
  • View change history and recent deployments
  • Investigate incidents and service relationships
What MCP tokens CANNOT do:
  • Modify production infrastructure
  • Trigger deployments or rollbacks
  • Change system configurations
  • Execute commands in clusters
MCP tokens are read-only, they cannot modify infrastructure, trigger deployments, or execute commands.

Generating an MCP API Token

1

Navigate to Administration

Log in to your NOFire AI dashboard and go to AdministrationAPI Tokens
NOFire AI API Tokens empty state

API Tokens page - empty state

2

Create New API Token

Click Create API Token button
Create API Token form with MCP type selected

Create API Token form - Choose MCP type

Fill in the details:
  • Name: Descriptive name (e.g., “john-cursor-dev”, “sarah-claude-desktop”)
  • Type: Select MCP
Use descriptive names: developer-tool-purpose format makes key management easier. Examples: alice-cursor-dev, ci-pipeline-staging
3

Copy the API Token

Important: The token is shown only once!
API Token created with copy button and security warning

Token created successfully - Copy and save securely

Click Copy Token and save this securely. You’ll need it for IDE configuration.
Store this key securely! It cannot be retrieved later. If lost, you’ll need to generate a new key.
4

Configure Your IDE

Use the key in your MCP configuration:
{
  "mcpServers": {
    "NOFireAI": {
      "url": "https://mcp.nofire.ai",
      "transport": "http",
      "headers": {
        "X-API-Key": "your-mcp-key-here"
      }
    }
  }
}

API Token Management

Viewing API Tokens

In your dashboard under AdministrationAPI Tokens, you can see:
  • Key Name: The descriptive name you provided
  • Key Type: agent or mcp
  • Status: Enabled or Disabled
  • Created: When the key was generated
  • Last Used: Last successful authentication
The full API token is never displayed after initial creation for security reasons.
API Tokens list showing enable/disable toggle and delete button

API Tokens list with token management options

Deactivating API Tokens

You can temporarily deactivate tokens without deleting them:
  1. Go to AdministrationAPI Tokens
  2. Find the key you want to deactivate
  3. Click the toggle to change stEnabled or Disabled**
When to deactivate:
  • Employee leaving the team
  • Suspicious activity detected
  • Rotating keys as security practice
  • Temporarily disabling integration

Deleting API Tokens

Permanently remove API tokens:
  1. Go to AdministrationAPI Tokens
  2. Click the Delete button next to the key
  3. Confirm deletion
When to delete:
  • Key compromised
  • Integration no longer used
  • Replacing with new key
Deletion is immediate and irreversibleAny services using this key will immediately lose access. Make sure to update configurations before deleting production keys.

Security Best Practices

Create individual MCP tokens for each team member:
✅ Good:
- john-cursor-dev
- sarah-claude-desktop
- alex-vscode

❌ Bad:
- team-shared-key
- engineering-mcp
Benefits:
  • Track individual usage
  • Revoke access per person
  • Audit who made what queries
Use different keys for different purposes:
✅ Good:
- backend-ci-pipeline
- frontend-ci-pipeline
- developer-ide-john
- automation-scripts

❌ Bad:
- company-master-key
Benefits:
  • Limit blast radius of compromised keys
  • Track usage by purpose
  • Easier to rotate specific keys
Never store API tokens in:
  • Git repositories
  • Docker images
  • Configuration files in version control
  • Public documentation
Instead, use:
  • Environment variables
  • Secret management systems (encrypted vaults, secret stores)
  • CI/CD secret storage (GitHub Secrets, GitLab CI/CD variables)
  • Local config files in .gitignore
Add patterns to .gitignore:
# NOFire AI keys
.cursor/mcp.json
claude_desktop_config.json
**/nofireai.key
Implement key rotation as security practice:Recommended schedule:
  • Developer IDE keys: Every 6 months
  • CI/CD pipeline keys: Every 3 months
  • Shared automation keys: Every month
  • Compromised keys: Immediately
Rotation process:
  1. Generate new key with temporary name
  2. Update all configurations to use new key
  3. Test everything works
  4. Deactivate old key (not delete!)
  5. Monitor for 24-48 hours
  6. Delete old key if no issues
Regularly review key usage in your dashboard:Check for:
  • Keys not used in 30+ days (consider deactivating)
  • Unexpected usage patterns
  • Failed authentication attempts
  • Keys used from unusual locations
Set up alerts for:
  • Multiple failed authentication attempts
  • API token used from new IP address
  • Unusual query volume
On your local development machine:macOS/Linux:
# Restrict file permissions
chmod 600 ~/.cursor/mcp.json
chmod 600 ~/Library/Application\ Support/Claude/claude_desktop_config.json
Windows: Use NTFS permissions to restrict access to your user account only.Additional protection:
  • Use full-disk encryption
  • Lock computer when away
  • Use password manager for key storage
  • Enable 2FA on NOFire AI dashboard

API Token Security

NOFire AI API tokens are designed with security in mind:
  • Unique Identifiers: Each key is cryptographically unique and securely hashed
  • Type-Based Permissions: Keys have fixed permission levels based on their type (MCP tokens are always read-only)
  • Account Isolation: Keys are scoped to your specific account and cannot access other accounts’ data
  • Secure Storage: Keys are stored in an encrypted secret store using industry-standards.
Never share your API tokens publiclyAPI tokens provide access to your NOFire AI data. Treat them like passwords. Store them securely and never commit them to version control or share them in public channels.

Using Your MCP Key

Once generated, use your MCP token in your IDE configuration:

For Cursor or Claude Desktop

{
  "mcpServers": {
    "NOFireAI": {
      "url": "https://mcp.nofire.ai",
      "transport": "http",
      "headers": {
        "X-API-Key": "your-mcp-key-here"
      }
    }
  }
}
Full IDE setup guide →

Troubleshooting

Error: 401 Unauthorized - Invalid API tokenPossible causes:
  1. Key was copied incorrectly (missing characters)
  2. Key has been deactivated or deleted
  3. Using wrong key type for operation
  4. Key has expired or been revoked
Solutions:
  1. Re-copy key from secure storage (check for spaces or line breaks)
  2. Verify key is active in dashboard
  3. Ensure you’re using an MCP token (not an agent key)
  4. Generate a new key if the old one is lost or compromised
Error: 403 Forbidden - MCP tokens are read-onlyCause: Attempting a restricted operation with an MCP tokenSolution: MCP tokens are read-only and can only query and analyze data. They cannot modify production systems, trigger deployments, or change infrastructure.
Error: 429 Too Many RequestsCause: Exceeded API rate limitsCurrent limits:
  • 100 requests per minute per key
  • 1000 requests per hour per account
Solutions:
  1. Implement exponential backoff
  2. Cache results when possible
  3. Distribute load across multiple keys
  4. Contact support for higher limits

FAQ

No hard limit. Create as many keys as needed for your organization. Best practice is one key per developer/tool.
No, MCP tokens don’t automatically expire. However, we recommend rotating them periodically as a security best practice (every 6 months for developer keys).
Yes. The dashboard shows:
  • Last used timestamp
  • Total requests made
  • Failed authentication attempts
For detailed audit logs, contact enterprise support.
Technically yes, but not recommended. Create separate keys for:
  • Each developer
  • Each IDE/tool
  • Each CI/CD pipeline
This makes it easier to track usage and revoke access if needed.
Take these steps immediately:
  1. Deactivate the compromised key in the dashboard
  2. Generate a new MCP token
  3. Update your IDE configuration with the new key
  4. Review usage logs for suspicious activity
  5. Contact support@nofire.ai if you suspect unauthorized access
Impact of compromise:
  • ✅ Cannot modify infrastructure, deploy changes, or execute commands
  • ⚠️ Can query service topology, dependencies, and change history
  • ⚠️ Can access operational metadata (service names, deployment patterns)
  • ⚠️ Could reveal architecture details to attackers
Treat as P2 incident: While less severe than write-access compromise, a leaked MCP token still exposes operational intelligence. Rotate immediately.
Agent keys are used by the NOFire AI Kubernetes agent to send data to NOFire AI.For IDE use, you need MCP tokens (this guide). Agent keys are for infrastructure data ingestion only.

What’s Next?

Getting Started with MCP

Set up MCP integration in your IDE

Proactive Reliability

Learn about shift-left features

Security

Understand our security model

FAQ

Common questions and answers