MCP Server
Authentication
API key setup, rate limits, and spending caps for the PRIV MCP server
Authentication
The PRIV MCP server uses the same API key authentication as the REST API.
API Key Setup
- Sign up or log in at app.privlabs.io
- Navigate to Settings > API Keys
- Click Create New Key
- Copy your key (it won't be shown again)
Key Types
| Prefix | Environment | MCP Access |
|---|---|---|
pk_live_ | Production | Full access |
pk_test_ | Development | Testnet only |
How Authentication Works
The MCP server passes your API key to the PRIV API on every tool call. Keys are validated using SHA-256 hash comparison — your key is never stored in plaintext.
Agent → MCP Server → API (X-API-Key header) → SHA-256 validation → ResponseRate Limits
| Tier | Requests/min | Requests/day | Price |
|---|---|---|---|
| Free | 60 | 10,000 | $0 |
| Builder | 300 | 100,000 | $49/mo |
| Enterprise | 2,000 | Unlimited | Custom |
Rate limit headers are included in tool responses when approaching limits.
Rate limits apply per API key. If you need higher limits, upgrade your plan at app.privlabs.io/dashboard/billing.
Spending Caps (Phase 2+)
When transaction tools become available, you can set spending caps per API key:
| Setting | Description | Default |
|---|---|---|
max_per_transaction | Maximum PRIV per single purchase | 1,000 PRIV |
daily_limit | Maximum PRIV spent per day | 10,000 PRIV |
require_confirmation | Require dry-run before execution | Enabled |
All financial operations default to dry-run mode — the tool returns a preview of what would happen without executing. The agent must explicitly confirm to proceed.
Security Best Practices
- Store API keys in environment variables, not in code
- Use
pk_test_keys for development and testing - Set spending caps before enabling transaction tools
- Monitor usage in the dashboard
- Rotate keys periodically