Skip to content

Manage your API keys

The Hadron portal's API keys page is the single dashboard for your personal Bearer credentials — both keys you mint yourself for scripts and tools AND tokens issued by MCP clients (Claude Desktop, VS Code) that walked through Hadron's OAuth flow.

From there you can:

  • Mint a new key for an arbitrary use case (a CLI script, a one-off curl command, a personal automation).
  • See every active + revoked key for your account, with last-used timestamps and a source badge that tells you which OAuth client issued each token.
  • Revoke a key the moment you suspect it's leaked or no longer needed — the next request bearing that key gets a 401 immediately.

Where it lives

In the Hadron portal: sidebar → API keys (under the Usage section), or directly at /app/account/api-keys.

When to mint your own key vs. let OAuth do it

Scenario Recommended path
You're connecting Claude Desktop, VS Code, or another MCP client that supports OAuth Let OAuth do it — see Install in Claude Desktop / Install in VS Code. The token is minted on your behalf at the end of the consent flow.
You're writing a script, automation, or one-off curl that calls /mcp directly Mint one here.
You're connecting an MCP host that doesn't support OAuth yet Mint one here + paste it into the host's bearer-token config field.
You're building an App backend that serves multiple users Use an AppKey instead — see Connecting an MCP host. App keys live on the App's settings page, not here.

The page shows BOTH portal-minted and OAuth-issued keys; the source badge distinguishes them so you always know which client (or you) is responsible for any given row.

Minting a key

  1. Open the API keys page.
  2. In the Mint a new API key section, optionally fill in a Label — a short name only you see, useful for remembering which device or script the key is for (e.g. "MacBook — local-dev script", "Production deploy job").
  3. Click Mint new key.
  4. The page shows a one-shot reveal banner at the top with the raw key value (hdr_user_<64 hex chars>).

⚠️ Copy the key NOW. This is the only time you'll see the full value. The Hadron server stores only a SHA-256 hash; if you lose the key, you can't recover it — you have to revoke and mint a new one.

  1. Click I have copied this key to dismiss the banner.

The key is immediately usable as a Bearer token against /mcp:

curl -H "Authorization: Bearer hdr_user_…" \
     https://srv.hadronmemory.com/mcp

Reading the list

Each row in the key list shows:

Column What it means
Label What you typed when minting; or for OAuth-issued tokens, OAuth: <client name> set by the server.
Key The last 4 characters of the raw key, for matching against your password manager.
Status Active (green) or Revoked (gray, with the row dimmed).
Source Portal if you minted it here. OAuth: dcr_<client_id> if an MCP client OAuth flow minted it; the dcr_… suffix identifies which OAuth client. Unknown for any legacy/imported row that lacks a source attribution.
Created When the key was minted.
Last used When /mcp most recently accepted a request bearing this key. Useful for spotting keys you forgot existed — revoke anything you haven't used in a while.
Action A Revoke button on active keys.

Revoked keys stay in the list (dimmed) so you have an audit trail of what was previously issued — particularly useful when investigating "who/what was accessing my data last week?"

Revoking a key

  1. Find the row for the key you want to revoke.
  2. Click Revoke.
  3. A confirmation dialog opens — it shows the key's last-4 preview so you can double-check.
  4. Click Yes, revoke this key.

The row's badge flips to Revoked, the row dims, and the next request bearing that key returns 401 Unauthorized from /mcp. Revocation is immediate — there's no grace period or propagation delay; the key stops working between one request and the next.

When to revoke

  • The key is in a file you accidentally committed to a public repo.
  • A laptop with the key on it was lost or stolen.
  • You're rotating credentials as a routine hygiene step.
  • You no longer need access from a particular device or script.
  • (For OAuth-issued tokens) you want to disconnect a specific MCP client.

Cross-user revoke attempts

For security, if you ever guess at someone else's key ID and try to revoke it, the API returns "not found" — exactly the same response as revoking a key that doesn't exist. This prevents key-ID enumeration. (The page never exposes anyone else's key IDs to begin with; this is defense-in-depth.)

What you don't have to manage

A few things are handled for you and don't need explicit action:

  • Hashing. Hadron never stores raw keys; only SHA-256 hashes. If the database leaked tomorrow, an attacker couldn't authenticate with the leaked content.
  • Expiry. Keys don't expire by themselves. Revoke explicitly when you no longer need them.
  • In-key permissions. Permissions live on the User row, not on the key. Every key issued to your account has the same access; an org-admin promotion takes effect on every existing key immediately.
  • Refresh tokens. None are issued. The token is long-lived; you rotate by minting + revoking, not by refreshing.

See also

  • Install in Claude Desktop — sets up an OAuth-issued token instead of a portal-minted one.
  • Install in VS Code — same OAuth path for VS Code.
  • Authentication — conceptual overview of Hadron's two credential paths (AppKey vs. UserApiKey), why they exist, and which one fits which use case.