# API keys & authentication

The two ways to authenticate with the Sequel MCP server — static API keys and OAuth 2.0 — plus how to create, scope, and revoke access.

The Sequel MCP server supports **two authentication methods**. Both authorize a client to query the data sources your organization has connected — nothing more. This page explains when to use each and how to manage access.

## At a glance

| | API key | OAuth 2.0 |
| --- | --- | --- |
| **Best for** | CLIs & editors (Claude Code, Cursor, VS Code, Windsurf, Zed, Codex, Gemini) | Connector-style clients (ChatGPT, Claude.ai) |
| **Setup** | Paste a key into the tool's config | Sign in on a consent screen |
| **Credential** | Static `sql_…` Bearer token | Short-lived access token, auto-refreshed |
| **Revoke** | Delete the key | Revoke the authorization |

## API keys

API keys are static Bearer tokens you generate once and paste into a tool's MCP config.

<Steps>
<Step title="Create a key">
Go to **Settings → API Keys** in the Sequel dashboard and create a new key. Give it a descriptive name (e.g. the tool or person it's for).
</Step>

<Step title="Copy it immediately">
The full key is shown **once**, at creation. Copy it then — afterward only a short prefix is visible for identification.
</Step>

<Step title="Use it as a Bearer token">
Add it to your tool's MCP config:

<CodeBlock language="http" label="Authorization header">Authorization: Bearer sql_your_api_key</CodeBlock>
</Step>
</Steps>

<Callout type="tip" title="The sequel_mcp key">
When you install Sequel from the dashboard's install dialog, it auto-provisions a key named <code>sequel_mcp</code> and inserts it into the config snippet for you — so you usually don't have to create one by hand.
</Callout>

<Callout type="warning" title="Keep keys private">
A key grants access to your organization's connected data. Don't commit keys to shared repos — give each person or tool its own key, and revoke any key that may have leaked.
</Callout>

## OAuth 2.0

For clients that support it, OAuth avoids sharing static keys. Sequel implements standard **OAuth 2.0 with PKCE**:

<Steps>
<Step title="The client registers itself">
The MCP client registers with Sequel automatically (dynamic client registration) — there's nothing to paste.
</Step>

<Step title="You sign in and consent">
You're redirected to a Sequel consent screen, sign in, and pick the organization to authorize.
</Step>

<Step title="Sequel issues tokens">
Sequel returns a short-lived access token (refreshed automatically in the background) scoped to your organization. The client uses it on every request.
</Step>
</Steps>

To use OAuth, just choose Sequel as an MCP connector in a client that supports it (for example ChatGPT's Connectors or Claude.ai integrations) and follow the sign-in prompt.

## Scope & revocation

- **Organization-scoped.** Every key and OAuth session can only reach the data sources your organization has connected.
- **Revoke anytime.** Delete an API key, or revoke an OAuth authorization, from the dashboard. Access stops immediately.
- **Rotate freely.** Issue separate keys per tool or environment so you can revoke one without disrupting the others.

## Next steps

- [Install Sequel MCP in your tool](/docs/install)
- [Getting Started](/docs/getting-started)