Skip to main content
Connecting Claude, ChatGPT, Cursor, or another app through its own UI? Use OAuth instead — no key to manage, and it’s the default for most users. This page covers API keys: a token-based path for scripts, backend services, and custom integrations that call the Deeto MCP Server directly.
The Deeto MCP Server uses API keys for authentication. Each key carries a privilege level that controls which tools it can access.

API key format

All requests require an API key in the Authorization header:
Keys always start with the dtk_live_ prefix.

Privilege levels

Privileges are hierarchical — higher levels inherit all permissions from lower levels.

Tool-to-privilege mapping


Generating a key

Only workspace Admins and Deeto Admins can generate API keys. When creating a key, specify:
  • Name — a descriptive label
  • Privilege — the access level for this key
Keys always follow this format:
The full API key is returned only once at creation time. Store it securely — it cannot be retrieved later. Only a truncated preview is shown in the management UI.
You cannot create a key with a higher privilege level than your own. An Admin cannot create a Deeto Admin key.

Making your first API call

Once you have a key, here’s how to start using it.
1

Initialize the connection

Send an initialize request to establish the MCP session:
Response:
Your vendorId is included in the initialize response instructions field. You do not need to pass it in any subsequent tool calls — the server reads it automatically from your API key.
2

List available tools

Discover which tools your API key can access:
The response includes each tool’s name, description, and input schema. Tools above your privilege level are not returned.
3

Make your first call

Start with get-stats for a quick workspace overview:
Response:
4

Query your data

Try querying references with filtering and pagination:

Key management

Revoking keys

API keys can be revoked at any time by Admins or Deeto Admins. Revoked keys are immediately invalidated — there is no propagation delay.

Key tracking

The system tracks when each key was last used. Use this to identify and clean up inactive keys.

Key storage

Keys are stored as one-way SHA-256 hashes server-side. The plaintext key is shown only once and cannot be retrieved.

Key management capabilities


Authentication errors


Best practices

  • Use minimum privilege — Create keys with only the access level needed
  • Rotate keys regularly — Revoke old keys and generate new ones periodically
  • One key per integration — Use separate keys for different applications
  • Never expose keys — Do not commit keys to source control or expose them client-side
  • Monitor usage — Review last-used timestamps to identify inactive keys

Connecting with Claude Desktop

Add this to your Claude Desktop MCP configuration file:
  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
Replace dtk_live_your_api_key_here with your actual API key. After saving, restart Claude Desktop. A hammer icon confirms MCP tools are active.
Your API key is stored in the config file on your local machine. Make sure this file is not shared or committed to version control.
Once connected, you can ask Claude things like:
  • “How many references do we have?”
  • “Show me all confirmed references at enterprise companies”
  • “Find all quotes tagged with ‘ROI’”
  • “Find all quotes tagged with ‘enterprise’”
  • “Create a case study based on our Acme Corp references”
Use a contentViewer key if you only need read access. Only use higher-privilege keys when you need to create records or manage content.
This is the API-key connection method. If you’d rather connect Claude Desktop (or any app) through a browser sign-in instead of managing a key, see OAuth Getting Started.

Need help?

Contact your Deeto Customer Success Manager or email support@deeto.ai.