Auth and Permissions

How MCP access is authorized

MCP authentication uses the same API key system as the public API.

Authentication

  • Send your key as Authorization: Bearer <API_KEY>
  • Missing or invalid keys return 401
  • Keys are workspace-scoped, so tools only access that workspace data

Permission model

MCP does not bypass API permissions. Each MCP tool is mapped to a public API route + method, and tool access is granted only when that route is allowed for the key.

In practice, this means:

  • Read-only keys expose read-only tools
  • Full-access keys expose create/update/delete tools
  • Route-restricted keys expose only matching tools
  • Use separate keys for MCP and direct API traffic
  • Start with minimum permissions, then expand as needed
  • Rotate keys regularly and expire test keys

For full key management guidance, see API Authentication.

Getting Started

Connect an MCP client to Excalidraw+

Tools

Available MCP tool groups

On this page

Authentication
Permission model
Recommended setup