CloudZero Academy
Guides
CloudZero Status
  1. Analyze Spend with AI Hub

API Key Authentication

API keys let you connect to the CloudZero MCP server without browser-based sign-in. This is useful for automation, CI/CD pipelines, and MCP clients that do not support interactive OAuth flows.

Prerequisites

  • A CloudZero account with permissions to create API keys
  • An MCP client that supports custom HTTP headers

Step 1: Create an API key

Follow the instructions in Create a new API key and configure it with the following:

FieldValue
NameA descriptive name (for example, cloudzero-mcp-server)
ScopeAi-Hub > mcp
ℹ️

Copy your API key after creating it. The key is only displayed once and cannot be retrieved later.

Step 2: Configure your MCP client

Add the X-Api-Key header to your CloudZero MCP server configuration. For most AI tools, the full JSON configuration block looks like this:

{
  "mcpServers": {
    "cloudzero": {
      "type": "http",
      "url": "https://czca-server.discovery.cloudzero.com/mcp",
      "headers": {
        "X-Api-Key": "<your-api-key>"
      }
    }
  }
}

Replace <your-api-key> with the API key you created in step 1.

If you already have the CloudZero MCP server configured from the Set Up AI Hub page, add the "headers" object to your existing server entry. For where your AI tool stores its MCP configuration, see the setup guides listed on Set Up AI Hub.

Using an environment variable

API keys should be treated as sensitive credentials, and your organization's security policies likely require them to be stored securely. Use an environment variable instead of placing your API key directly in configuration files. Replace the key value with an environment variable reference:

"headers": {
  "X-Api-Key": "${CLOUDZERO_API_KEY}"
}

Set the CLOUDZERO_API_KEY environment variable wherever your AI tool runs.

Authentication behavior

  • You do not need to remove your OAuth configuration when adding an API key.
  • If both are configured, the API key takes precedence.
  • The MCP server checks for an X-Api-Key header first and only falls back to the OAuth bearer token when no API key is present.

What to know

  • API keys grant full access to all cost data in the organization. Role-based data access filters do not apply.
  • All MCP tools are available. Permission set restrictions do not apply.
  • API key usage is metered with a daily limit per organization. For details, see Usage quotas.
ℹ️

Have questions or feedback? Reach out to your account manager.

Updated about 19 hours ago