Skip to main content
Docs/API Keys
DocsAPI Keys
Pro

API Keys

Create API keys to call GenMB from your own scripts, CI jobs, or MCP-compatible AI tools. Keys are scoped to your account and inherit your plan.

API keys require a Pro or Business plan.

Creating a Key

1

Open the API Keys section

From Settings, scroll to API Keys. You can also reach the same view from the MCP Integration panel in the app editor.
2

Click New Key

Give the key a descriptive name (e.g. "Claude Desktop", "CI deploy", "Local dev"). Names help you remember what each key is for; they have no functional effect.
3

Copy the key immediately

The raw key value (genmb_sk_...) is shown once. Copy it into your password manager or environment variable now; you will not be able to retrieve it again.
We hash keys before storing them, so we cannot recover a lost key. If you misplaced one, revoke it and create a replacement.

Using a Key

Pass the key in the Authorization header on any API request:

curl https://genmb.com/api/apps \
  -H "Authorization: Bearer genmb_sk_..."

MCP-aware clients can use the dedicated X-MCP-API-Key header instead, which is preferred for MCP-only clients that already use Authorization for transport-level auth.

Requests made with an API key are attributed to you. They count against your plan's rate limits, credit costs, and quotas the same as if you had made them from the editor.

MCP Server Use

API keys are the primary auth method for the GenMB MCP server. Once you create a key, paste it into your MCP client (Claude Desktop, Cursor, etc.) following the setup steps in the MCP Integration doc.

For Claude Desktop, drop the key into the env block of your MCP server config. Restart Claude Desktop after editing config.

Security

  • Keys begin with the genmb_sk_ prefix so they are easy to spot in logs and code reviews.
  • Only a SHA-256 hash of the key is stored in our database. The plaintext exists only on the client.
  • The list view shows a truncated prefix and the last-used timestamp so you can audit usage without seeing the raw key.
  • Keys do not expire automatically. Rotate them when a contractor leaves, a laptop is lost, or a shared CI secret is suspected.
Never commit an API key to source control. Use environment variables or a secrets manager. If you accidentally publish a key, revoke it immediately from the API Keys section.

Revoking

To revoke a key, click Delete next to it in the API Keys section. Revocation is immediate: any active client using the key starts receiving 401 errors on the next request.

Revoked keys cannot be reinstated. Create a new key and reconfigure clients to use it.

Limits

Maximum keys per account5
Key formatgenmb_sk_ + 32 URL-safe random chars
StorageSHA-256 hash only (raw key never stored)
Plan requirementPro or Business
Global rate limit200 requests / minute / IP

Need more than 5 keys? Contact support with your use case.

FAQs

What are API keys used for?
API keys authenticate external clients (your own scripts, CI jobs, MCP-aware AI tools like Claude Desktop) when they call GenMB on your behalf. They are scoped to your user account and inherit your plan and quotas.
Where do I see my keys?
Open Settings and find the API Keys section, or use the MCP Integration panel in the app editor. The list shows the name, prefix, creation date, and last-used time for every key. The raw key value is only ever shown once, when you create it.
I lost a key. Can I recover it?
No. We only store a SHA-256 hash of the key in our database, never the key itself. If you lost a key, revoke it and create a new one.
How do I revoke a key?
Click Delete next to the key in the API Keys section. The key is invalidated immediately; any clients using it start receiving authentication errors on the next request.
What is the rate limit on key-authenticated requests?
The same global limit applies as any other API call: 200 requests per minute per IP. Per-endpoint limits (e.g. codegen, deploy) still apply too.
How is this different from window.genmb.auth?
window.genmb.auth is end-user authentication inside generated apps (Google OAuth). API keys are for you, the GenMB user, when calling the platform from outside the editor.

Ready to build?

Create your first app for free, no credit card required.

MCP IntegrationMCP Servers (Per-App)