> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nikiwa.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Create, use, and revoke Nikiwa developer keys for the Tools API and MCP server.

Developer keys, labeled **MCP Keys** in the app, are personal tokens that authenticate you to the [MCP server](/mcp/overview). Use them for scripts, servers, and any client where the browser-based [OAuth flow](/mcp/connect-oauth) is not a fit. Each key begins with `nkw_live_`.

## Create a key

<Steps>
  <Step title="Open the app">
    Sign in at [nikiwa.com](https://nikiwa.com).
  </Step>

  <Step title="Open MCP Keys">
    Click your profile in the sidebar, then **MCP Keys**.
  </Step>

  <Step title="Create">
    Give the key a name, such as "trading-bot" or "research-notebook", and create it.
  </Step>

  <Step title="Copy it now">
    The full key is shown once. Copy it and store it somewhere safe. Nikiwa never displays the full key again.
  </Step>
</Steps>

<Warning>
  The raw key is revealed only at creation. After that, the app shows only a non-secret key prefix. If you lose a key, revoke it and create a new one. There is no way to recover the original secret.
</Warning>

## Use a key

Add the key as a Bearer token in your MCP client's config for the Nikiwa server:

```json MCP client config theme={null}
{
  "mcpServers": {
    "nikiwa": {
      "url": "https://pro-api.nikiwa.com/mcp",
      "headers": {
        "Authorization": "Bearer nkw_live_YOUR_KEY"
      }
    }
  }
}
```

<Note>
  Exact config differs per client, but the essentials are always the same: the endpoint `https://pro-api.nikiwa.com/mcp` and an `Authorization: Bearer` header carrying your key.
</Note>

## Manage keys

From the **MCP Keys** panel you can see each key's name, prefix, creation date, and when it was last used, along with its [usage](/mcp/usage).

### Revoking a key

Revoke a key from the same panel. Revocation is immediate: a revoked key stops authenticating to both the API and the MCP server at once. Revoke any key you suspect has leaked, then create a replacement.

## Scope and limits

* **Scope**: keys carry `mcp:call`, which authorizes the MCP server. The [Tools API](/api-reference/overview) uses a separate `api:call` scope.
* **Rate limit**: each key has its own per-minute [rate limit](/api-reference/rate-limits), 60 requests per minute by default.
* **Metering**: usage is tracked per key. See [Usage & metering](/mcp/usage).

<Warning>
  A key authenticates as you. Never commit one to source control or ship it in client-side or browser code, where users could extract it.
</Warning>
