RouterMCP
Security

Authentication

API keys, OAuth, and access control for RouterMCP.

Authentication

RouterMCP supports multiple authentication methods for securing access to your MCP gateway.

Project Authentication

Each project can be configured with an authentication mode:

ModeDescriptionUse Case
noneNo authentication requiredDevelopment, internal tools
api_keyRequires Authorization: Bearer headerProduction, external access

API Key Authentication

When authMode is set to api_key:

POST /v1/mcp/my-project/request
Authorization: Bearer rmc_1234567890abcdef
Content-Type: application/json

API keys are shown only once when created. Store them securely.

Upstream Authentication

RouterMCP can authenticate with upstream MCP servers using:

TypeDescription
noneNo authentication
bearerBearer token in Authorization header
oauthOAuth 2.0 flow with token refresh

Bearer Token

{
  "mcpServers": {
    "github": {
      "url": "https://mcp.github.com",
      "authType": "bearer",
      "authBearer": "${GITHUB_TOKEN}"
    }
  }
}

OAuth

RouterMCP Cloud handles OAuth flows automatically:

  1. Configure OAuth in the dashboard
  2. User authorizes via OAuth provider
  3. RouterMCP stores and refreshes tokens
  4. Tokens are injected into upstream requests

Best Practices

  1. Use API key auth in production - Never expose unauthenticated endpoints
  2. Rotate keys periodically - Create new keys and revoke old ones
  3. Use environment variables - Never hardcode credentials
  4. Per-server credentials - Don't share tokens across servers
  5. Monitor audit logs - Watch for unauthorized access attempts

Security Best Practices and Authentication

Security best practices and authentication patterns for RouterMCP.

Security Best Practices

Recommendations for securing your RouterMCP deployment.

On this page

AuthenticationProject AuthenticationAPI Key AuthenticationUpstream AuthenticationBearer TokenOAuthBest Practices