> ## Documentation Index > Fetch the complete documentation index at: https://docs.trypost.it/llms.txt > Use this file to discover all available pages before exploring further. # API Keys > Create and manage API keys to authenticate your requests to the TryPost API and MCP server. ## What are API keys? API keys authenticate requests to the TryPost REST API and MCP server. Every API call and AI assistant connection requires a valid key. Keys are scoped to a **single workspace** — an API key can only access the workspace it was created in. ## Creating an API key Go to **API Keys** in the sidebar and click **Create API Key**. | Field | Required | Description | | -------------- | -------- | -------------------------------------------------------------------------- | | **Name** | Yes | A label to identify the key (e.g., `Production`, `CI/CD`, `MCP`, `Cursor`) | | **Expiration** | No | Optional expiration date. After this date, the key stops working | After creation, the full key is shown **once**. Copy it immediately. TryPost stores a hash of your API key, not the key itself. If you lose it, you'll need to create a new one. ## Where to use your API key The same key works for both the REST API and MCP server: ### REST API Pass the key as a Bearer token in the `Authorization` header: ```bash theme={null} curl -X GET https://app.trypost.it/api/posts \ -H "Authorization: Bearer YOUR_API_KEY" ``` ### MCP Server Use the key in your AI assistant's MCP configuration: ```json theme={null} { "mcpServers": { "trypost": { "type": "http", "url": "https://app.trypost.it/mcp/trypost", "headers": { "Authorization": "Bearer YOUR_API_KEY" } } } } ``` See the [Build with AI](/ai/introduction) section for setup guides for each AI assistant. ## Expiration API keys can be created with or without an expiration date: * **No expiration** — The key remains active until you manually delete it * **With expiration** — The key automatically becomes inactive after the set date. Requests return a `401` error Expired keys are not deleted — they stay visible so you can track usage history. You can delete them when ready. ## Security best practices Create different keys for different purposes: `Production API`, `Cursor MCP`, `CI/CD Pipeline`. If one is compromised, you only need to rotate one. If you're sharing a key with a contractor or external tool, set an expiration date. Store keys in environment variables, `.env` files (not committed), or secret managers. Never hardcode them. Create a new key, update your integrations, verify the old key's **Last used** timestamp shows no recent activity, then delete it. ## Deleting an API key You can delete an API key at any time from the dashboard or via the [API](/api-reference/endpoint/delete-api-key). Deletion is **immediate and irreversible** — any application or AI assistant using the key will immediately start receiving `401` errors. Check the **Last used** column before deleting to make sure the key isn't actively in use. ## FAQ There's no limit. Create as many as you need. No. The full key is only shown once. TryPost stores a secure hash, not the original key. Yes. One key authenticates both REST API requests and MCP connections. They're the same authentication mechanism. The API returns a `401 Unauthorized` error. Create a new key to restore access. No. Keys are scoped to the workspace where they were created. Create a separate key for each workspace. Yes. API requests are throttled to prevent abuse. If you exceed the limit, you'll receive a `429` status code.