Skip to main content
“API key” gets used for a few different things in MCPJam. The short version:
  • To call the MCPJam API, you want the MCPJam API key (sk_…) — the first one below.
  • Two others here are third-party secrets you supply, not keys MCPJam issues — they’re listed only because the name collides.
  • One older key (mcpjam_…) is retired and no longer works.

MCPJam API key (sk_…)

The key for the MCPJam API — programmatic access to live MCP server diagnostics at https://app.mcpjam.com/api/v1/.... This is the one to reach for whenever you mean “the MCPJam API key.” Where it lives: Settings → API keys in the hosted app — that link takes you straight to key creation (sign in if prompted; you’ll land back on the page). Shown exactly once at creation — store it in your own secret manager or an environment variable. When it’s used: Every Authorization: Bearer sk_… request to /api/v1/* — validating servers, running the doctor, listing tools/prompts/resources, reading resources, exporting snapshots, and saving @mcpjam/sdk eval results (set MCPJAM_API_KEY to this key; see Saving Results). Errors you might see
  • 401 UNAUTHORIZED → invalid or revoked key.
  • 401 with details.reason: "ORPHANED_KEY" → the key lost its organization binding; create a new one from Settings.
  • 403 FORBIDDEN (“API keys cannot manage other API keys”) → you pointed an sk_… key at the key-management endpoints; key management is UI-only.
  • 429 RATE_LIMITED → per-key rate limit (60/min, burst 10); honor Retry-After.
Full surface in the MCPJam API reference.

LLM provider key — not an MCPJam key

A secret from an LLM provider (OpenAI, Anthropic, Google, xAI, Groq, Mistral, …). MCPJam never issues this — it just uses the key you paste in to call that provider on your behalf. Where it lives: Settings → LLM Providers. When it’s used: Every Playground chat against a provider model that isn’t MCPJam’s free hosted model. Errors: “Invalid API key for OpenAI / Anthropic / …” → wrong, expired, or for a different project. (“MCPJam model limit reached” is a different problem.) You don’t need one to run inspector probes (Tools, Resources, Prompts, OAuth Debugger, conformance) — those only talk to MCP servers.

Playground BYOK — not an MCPJam key

A per-server bearer token for an HTTP MCP server that requires Authorization: Bearer .... MCPJam forwards it to that one server only; it never authenticates you to MCPJam. Where it lives: Servers card → Headers field, or config.json under mcpServers.<name>.headers.Authorization (e.g. "Authorization": "Bearer ${MY_SERVER_TOKEN}"). When it’s used: Every request the inspector makes to that MCP server. Errors: auth/http_401, auth/http_403 — the target server rejected the token.

Project API Key (mcpjam_…) — retired

Retired. Project API keys no longer work: existing keys no longer authenticate, new keys can’t be generated, and the /sdk/v1/evals/* ingestion endpoints they protected return 410 Gone for every request. Eval reporting now runs on the MCPJam API key (sk_…) through the MCPJam API — see Saving Results.
This was a project-scoped token for @mcpjam/sdk / CLI traffic to the hosted backend, read from the MCPJAM_API_KEY environment variable. If your CI logs show 410 reporting errors, this retirement is why. To fix CI: upgrade @mcpjam/sdk, replace the MCPJAM_API_KEY value with an sk_… key from Settings → API keys, and (optionally) set MCPJAM_PROJECT_ID to keep filing results under the same project — otherwise they land in your org’s Default project. Old SDK versions’ default auto-save path warns and continues, so eval runs themselves keep passing either way.

Quick reference

KeyFormatIssued byUse it for
MCPJam API keysk_…Settings → API keysThe MCPJam API (/api/v1/*)
LLM provider keyprovider-specificthe LLM providerPlayground chat — third-party
Playground BYOKserver-specificyour MCP serverAuthenticating to one MCP server — third-party
Project API Keymcpjam_…— (no longer issued)Retired — no longer works