Managing API keys
Create, copy, and revoke the organization-scoped API keys that authenticate MCP connections.
Every MCP connection authenticates with an API key. Keys are scoped to one organization and are read-only by design: a key can retrieve your organization’s published results, plus the data dictionary metadata behind them (the two dictionary tools, list_prepared_datasets and list_prepared_dataset_columns, return organization-scoped metadata regardless of publication state). It cannot see other organizations, the results of unpublished runs, or change anything. This page covers creating a key, what its lifecycle looks like, and how to revoke it.
Before you begin
- You are an organization admin (see roles and permissions).
- MCP is enabled for your organization; the API keys tab only appears once Neuralift has enabled it (see the overview).
Create a key
- Open your organization’s Settings and select the API keys tab.
- Enter a Name that describes what the key is for, such as
claude-code-marketingorBraze activation. Names make it easy to know what breaks when you later revoke a key. - Click Create key.
- Copy the key from the reveal panel using the Copy button. This is the only time the full key is shown. Neuralift stores only a hash of it, so it cannot be recovered later. Store it in a password or secret manager immediately.
The key looks like nlmcp_xxxxxxxxxxxx. You should now see it listed in the API keys tab with its creation date and an Active status, and after its first use, a last-used timestamp.
If you lose a key, there is no way to view it again: revoke it and create a new one.
Key lifecycle
| Property | Behavior |
|---|---|
| Format | Starts with nlmcp_; shown once at creation |
| Expiry | 365 days from creation by default |
| Scope | One organization; read-only; published results only (dictionary metadata is organization-scoped regardless of publication) |
| Last used | Timestamp updates as the key is used, so you can spot stale keys |
| Revocation | Immediate; revoked keys remain listed for audit |
Revoke a key
- In Settings → API keys, find the key by name.
- Click Revoke.
Revocation takes effect immediately: any client using that key stops authenticating on its next request. The revoked key stays in the list as an audit record; keys that are no longer active can also be deleted from the list.
Revoke a key right away if it may have been exposed (pasted into a shared document, committed to a repository, or held by someone who has left your organization), then create a replacement.
Keep keys safe
Treat a key like a password:
- Store keys in a secret manager, never in plain-text notes, chat, or source control.
- Create one key per integration (one for Claude Code, another for a Copilot Studio agent) so you can revoke each independently.
- Rotate keys when people leave the team, and rely on the 365-day expiry as a backstop, not a strategy.
- Check the last-used timestamp periodically and revoke keys nothing is using.
Note. A key’s access comes from the organization it belongs to, not from the admin who created it. Deactivating a user does not deactivate the keys they created; revoke those keys explicitly.
Next steps
- Connect Claude, Connect OpenAI, or Connect Microsoft Copilot with your new key
- Tools reference: what a key grants access to