Docs / API Keys

API key setup and handling

When to use

Use this for account-managed service integrations

Use API keys for first-party or controlled service-to-service workloads where OAuth connector trust flows are not required.

Request example

Validate key with tools/list

POST https://mcp.soundside.ai/mcp
Authorization: Bearer <your_api_key>
Content-Type: application/json

{"jsonrpc":"2.0","id":"1","method":"tools/list","params":{}}

Response example

Expected success signal

{
  "jsonrpc": "2.0",
  "id": "1",
  "result": {
    "tools": [{ "name": "create_video" }]
  }
}

Error behaviors

Key lifecycle failures

• 401 Unauthorized: missing, malformed, or revoked key.
• 403 Forbidden: key valid but blocked by client trust or tool policy.
• 429 Quota exceeded: apply retry windows from rate-limit headers.

Operational notes

Secure usage defaults

• Generate keys in /developer/console after sign-up and copy once.
• Store keys in a secret manager; never embed in client-side browser code.
• Rotate immediately on exposure suspicion and audit automation scopes regularly.
• Start with minimal tool tiers and expand only after run reliability is proven.