Browse documentation

Managing API keys

Preview This capability is in Preview and may not be enabled for your organization yet. About release stages

Create, copy, and revoke the organization-scoped API keys that authenticate MCP connections.

Every MCP connection authenticates with an API key. Keys are scoped to one organization and are read-only by design: a key can retrieve your organization’s published results, plus the data dictionary metadata behind them (the two dictionary tools, list_prepared_datasets and list_prepared_dataset_columns, return organization-scoped metadata regardless of publication state). It cannot see other organizations, the results of unpublished runs, or change anything. This page covers creating a key, what its lifecycle looks like, and how to revoke it.

Before you begin

  • You are an organization admin (see roles and permissions).
  • MCP is enabled for your organization; the API keys tab only appears once Neuralift has enabled it (see the overview).

Create a key

  1. Open your organization’s Settings and select the API keys tab.
  2. Enter a Name that describes what the key is for, such as claude-code-marketing or Braze activation. Names make it easy to know what breaks when you later revoke a key.
  3. Click Create key.
  4. Copy the key from the reveal panel using the Copy button. This is the only time the full key is shown. Neuralift stores only a hash of it, so it cannot be recovered later. Store it in a password or secret manager immediately.

The key looks like nlmcp_xxxxxxxxxxxx. You should now see it listed in the API keys tab with its creation date and an Active status, and after its first use, a last-used timestamp.

If you lose a key, there is no way to view it again: revoke it and create a new one.

Key lifecycle

PropertyBehavior
FormatStarts with nlmcp_; shown once at creation
Expiry365 days from creation by default
ScopeOne organization; read-only; published results only (dictionary metadata is organization-scoped regardless of publication)
Last usedTimestamp updates as the key is used, so you can spot stale keys
RevocationImmediate; revoked keys remain listed for audit

Revoke a key

  1. In Settings → API keys, find the key by name.
  2. Click Revoke.

Revocation takes effect immediately: any client using that key stops authenticating on its next request. The revoked key stays in the list as an audit record; keys that are no longer active can also be deleted from the list.

Revoke a key right away if it may have been exposed (pasted into a shared document, committed to a repository, or held by someone who has left your organization), then create a replacement.

Keep keys safe

Treat a key like a password:

  • Store keys in a secret manager, never in plain-text notes, chat, or source control.
  • Create one key per integration (one for Claude Code, another for a Copilot Studio agent) so you can revoke each independently.
  • Rotate keys when people leave the team, and rely on the 365-day expiry as a backstop, not a strategy.
  • Check the last-used timestamp periodically and revoke keys nothing is using.

Note. A key’s access comes from the organization it belongs to, not from the admin who created it. Deactivating a user does not deactivate the keys they created; revoke those keys explicitly.

Next steps