API Key Authentication
Authenticate the CloudZero MCP server with an API key instead of browser-based sign-in. Useful for automation, CI/CD pipelines, and clients that do not support OAuth.
API keys let you connect to the CloudZero MCP server without browser-based sign-in. This is useful for automation, CI/CD pipelines, and MCP clients that do not support interactive OAuth flows.
Prerequisites
- A CloudZero account with permissions to create API keys
- An MCP client that supports custom HTTP headers
Step 1: Create an API key
-
Navigate to Settings > API Keys in the CloudZero application.
-
Select Create New API Key.
-
Enter a name and description for the key.
-
Under API Key Scopes, expand the Ai-Hub section and select mcp.
-
Select Create API Key.
-
Copy the API key immediately. It will not be shown again.
For detailed instructions, see Create a new API key.
API keys are organization-level tokens. Anyone with the key has full access to all cost data in the associated organization. Treat API keys as secrets and do not commit them to version control.
Step 2: Configure your MCP client
Using .mcp.json
If your MCP client supports .mcp.json configuration (Claude Code, Cursor, VS Code, and others), add the following to your .mcp.json file:
{
"mcpServers": {
"cloudzero": {
"type": "http",
"url": "https://czca-server.discovery.cloudzero.com/mcp",
"headers": {
"X-Api-Key": "<your-api-key>"
}
}
}
}Replace <your-api-key> with the API key you created in step 1.
The
.mcp.jsonfile is typically located in your project root or home directory, depending on the client. Check your client's documentation for the exact location.
After npx add-mcp installation
If you installed the MCP server using npx add-mcp from the manual installation page, add the headers block to the existing server entry in your client's MCP configuration file:
| Client | Configuration file |
|---|---|
| Claude Code | ~/.claude.json or project .mcp.json |
| Cursor | .cursor/mcp.json in your project |
| VS Code | .vscode/mcp.json in your project or user settings |
Add the "headers" object to the existing server entry:
"headers": {
"X-Api-Key": "<your-api-key>"
}Using an environment variable
To avoid storing your API key directly in configuration files, reference an environment variable instead:
{
"mcpServers": {
"cloudzero": {
"type": "http",
"url": "https://czca-server.discovery.cloudzero.com/mcp",
"headers": {
"X-Api-Key": "${CLOUDZERO_API_KEY}"
}
}
}
}Then set the environment variable in your shell or CI/CD environment:
export CLOUDZERO_API_KEY="your-api-key-here"Do not commit API keys to version control. Use environment variables or a secrets manager for shared configurations.
Authentication behavior
The MCP server checks for authentication in the following order:
- API key — If an
X-Api-Keyheader is present, the server validates the key. OAuth is not checked. - OAuth — If no API key header is present, the server uses the OAuth bearer token from the browser-based sign-in flow.
You do not need to remove OAuth configuration when adding an API key. The X-Api-Key header takes precedence when both are present.
API key vs OAuth
| API key | OAuth | |
|---|---|---|
| Sign-in method | X-Api-Key header | Browser-based sign-in |
| Data access | Full access to all organization data | Restricted by your role's data access filters |
| Tool permissions | All tools available | Subject to permission set restrictions |
| Usage quotas | Metered with a daily limit per organization | Not metered |
| Best for | Automation, CI/CD, headless clients | Interactive use |
For details on daily usage quotas and what happens when the limit is reached, see Usage quotas.
Updated 9 days ago