AI Workflow MCP

Sign in

Docs

API Keys

How authenticated keys are created, used, and revoked.

API keys are managed from the production web account page:

https://aiworkflowmcp.com/en/account/api-keys/

Sign-In Flow

Sign in with Google/Gmail or email through production Clerk. The account page is protected by Clerk middleware and redirects unauthenticated users to:

https://aiworkflowmcp.com/en/sign-in/

The protected account route is:

/:locale/account/*

The API key page is the default account destination. Opening https://aiworkflowmcp.com/en/account/ redirects to the API key manager.

Create A Key

  1. Open https://aiworkflowmcp.com/en/account/api-keys/.
  2. Enter a short name such as Local Claude Code, CI smoke, or Production app.
  3. Click Create key.
  4. Copy the returned secret immediately.

Keys use the ak_ prefix. The full value is displayed once and cannot be recovered later.

Storage

Keys are generated once and displayed once. The full secret is never stored after creation. D1 stores the key hash, prefix, user id, tier, creation time, last-used time, and revocation time.

The web account page shows active and revoked keys with:

  • key name
  • key prefix
  • tier
  • creation time
  • last-used time
  • revoked state
  • 30-day usage count

Request Headers

Preferred form:

curl -fsS \
  -H "Authorization: Bearer ${AIWORKFLOWMCP_API_KEY}" \
  "https://mcp.aiworkflowmcp.com/v1/models/list?limit=1"

You can also send the key as x-api-key, but Authorization: Bearer ... is the preferred form.

Fallback form:

curl -fsS \
  -H "x-api-key: ${AIWORKFLOWMCP_API_KEY}" \
  "https://mcp.aiworkflowmcp.com/v1/tools/list?limit=3"

Quotas And Usage

Public calls are rate-limited by IP. Authenticated calls are rate-limited by API key and receive higher per-minute routing.

Current production health exposes:

public limit: 120 requests/minute
authenticated limit: 600 requests/minute

The account page calculates 30-day call count from usage_log. Usage is recorded for authenticated REST and MCP requests after the Worker responds.

Revocation

Revoked keys return:

401 invalid API key

The account page keeps revoked keys visible with prefix, creation time, last-used time, and 30-day call count so users can audit their own usage.

Auth Failures

Wrong prefix:

{
  "error": "invalid API key",
  "hint": "Use Authorization: Bearer ak_..."
}

Unknown, revoked, or deleted key:

{
  "error": "invalid API key"
}

Expired key:

{
  "error": "expired API key"
}

All authentication failures return 401 and cache-control: no-store.

REST API

REST endpoints served by the Cloudflare MCP Worker.

Errors

HTTP, JSON-RPC, authentication, rate-limit, and freshness errors.

On this page

Sign-In FlowCreate A KeyStorageRequest HeadersQuotas And UsageRevocationAuth Failures
GitHubEdit this page on GitHub