Authentication
Reactor's MCP server uses API key authentication. Every request carries your key as a Bearer token, and the key identifies your workspace — there is nothing else to configure.
Generate an API key
- Log in to Reactor and go to Settings → API.
- Click Generate New Key.
- Name the key for the integration that will use it (e.g. "Claude Code", "Automation").
- Copy the key immediately — it is shown only once.
Use the key
Pass the key as a Bearer token in the Authorization header. With the remote MCP, that's the --header flag on mcp-remote:
npx -y mcp-remote https://app.reactor.tools/api/mcp --header "Authorization: Bearer YOUR_API_KEY"
In a client config block:
{
"mcpServers": {
"reactor": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://app.reactor.tools/api/mcp",
"--header",
"Authorization: Bearer YOUR_API_KEY"
]
}
}
}
See Install the MCP for full per-client setup.
How it works
Reactor stores only a SHA-256 hash of your key, never the plaintext. On each request it hashes the presented key, matches it to the stored hash, and resolves the workspace the key belongs to. All tool calls are then scoped to that workspace automatically.
Security notes
- Don't commit API keys to source control.
- Use a separate key per integration so you can revoke one without disrupting the others.
- Rotate keys periodically from Settings → API.
- Keys are valid until you revoke them — there is no automatic expiry.
- Deleting a key takes effect immediately; any client using it will start getting
401s.
Error responses
| Error | Cause |
|---|---|
401 Unauthorized | Missing, malformed, or revoked API key |
403 Forbidden | Key is valid but lacks access to the requested resource |
429 Too Many Requests | Rate limit exceeded |