This document describes how authentication and security are handled in the Vector Knowledge Base MCP Server.

• 🔒 Security Policy
  • 📖 Table of Contents
  • 📌 API Key Authentication
    • Header Format
  • 🔑 API Key Management
  • ⚠️ Best Practices

All protected routes require a valid API Key to be provided in the Authorization header.

Authorization: API-Key <your_api_key>

• API-Key is the required prefix.
• <your_api_key> must be replaced with the actual key value generated from the API key management endpoints.

Example:

curl -X GET http://localhost:8100/api/v1/knowledge-base \
  -H "Authorization: API-Key sk_test_xxxxxxx"

API Keys are managed via the /api/v1/api-keys endpoints:

• Create API Key

POST /api/v1/api-keys

• List API Keys

GET /api/v1/api-keys

• Update API Key

PUT /api//v1/api-keys/{id}

• Delete API Key

DELETE /api/v1/api-keys/{id}

Each key can be toggled active/inactive, and last usage is automatically updated on every request.

See API docs for the details.

• Treat API keys like passwords:
  • Do not share them publicly or commit them to version control.
  • Rotate keys regularly.
  • Delete unused keys immediately.
• Use different API keys for different environments (development, staging, production).
• Restrict API key usage to secure connections (https).