401 Unauthorized in MCP: Fixing API Key and Auth Header Issues
Getting 401 Unauthorized errors when using MCP? This focused troubleshooting guide helps you fix authentication issues: missing Authorization headers, wrong Bearer format, revoked API keys, and whitespace problems. Learn how to verify your setup and rotate keys safely.
What 401 Unauthorized Means
A 401 error indicates that your request reached the server, but authentication failed. This is different from connection errors—the server is reachable, but it doesn't recognize or accept your credentials.
Common Causes
- Missing Authorization header
- Wrong Bearer token format
- Revoked or expired API key
- Whitespace issues when copying the key
- API key tied to wrong workspace
Step 1: Check Authorization Header Format
The Authorization header must be formatted exactly as "Bearer " followed by your API key (with a single space).
Correct Format
Correct Authorization Header
Authorization: Bearer YOUR_API_KEY
Key points:
- "Bearer" (capital B, lowercase rest)
- Single space after "Bearer"
- No quotes around the API key
- No extra spaces or line breaks
Common Format Errors
Missing "Bearer " Prefix
Authorization: YOUR_API_KEY
Fix: Add "Bearer " before the API key
Wrong Case
Authorization: bearer YOUR_API_KEY
Authorization: BEARER YOUR_API_KEY
Fix: Use exactly "Bearer" (capital B, lowercase rest)
Missing Space After "Bearer"
Authorization: BearerYOUR_API_KEY
Fix: Add a single space: "Bearer YOUR_API_KEY"
Extra Spaces
Authorization: Bearer YOUR_API_KEY
Authorization: Bearer YOUR_API_KEY
Fix: Use exactly one space between "Bearer" and the key, no trailing spaces
Step 2: Verify API Key Status
Check if your API key is active and valid:
Verification Steps
- Log in to Corcava
- Go to Settings → Integrations → Public API
- Find your API key in the list
- Check if it shows as "Active"
- Verify the key name matches what you're using
Key Status Issues
Revoked Key
- Symptom: Key shows as "Revoked" or "Inactive" in Corcava
- Fix: Create a new API key and update your MCP configuration
Expired Key
- Symptom: Key has an expiration date that has passed
- Fix: Generate a new API key (keys don't expire by default, but check if expiration was set)
Wrong Workspace
- Symptom: Key exists but belongs to a different workspace
- Fix: Ensure you're logged into the correct Corcava workspace, or create a key in the right workspace
Step 3: Check for Whitespace Issues
When copying API keys, extra whitespace can cause authentication failures:
Common Whitespace Problems
- Leading/trailing spaces: Key copied with spaces at the beginning or end
- Line breaks: Key split across multiple lines
- Hidden characters: Non-printable characters from copy/paste
- Multiple spaces: Extra spaces within the key (rare, but possible)
How to Fix Whitespace Issues
- Copy the API key from Corcava again
- Paste into a plain text editor (not a word processor)
- Manually select only the key characters (no spaces before/after)
- Copy again and paste into your config file
- Verify no extra spaces in the config file
Verify in Config File
Check your MCP config file for correct formatting:
Correct Config Format
{
"mcpServers": {
"corcava": {
"url": "https://app.corcava.com/mcp",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}
Note: The API key should be directly after "Bearer " with no extra spaces or line breaks.
Step 4: Test Authentication
Verify your authentication setup with curl:
Test with curl
Basic Auth Test
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://app.corcava.com/mcp
Expected response: Should return 200 OK or tool list, not 401 Unauthorized
Verbose Test (See Headers)
curl -v -H "Authorization: Bearer YOUR_API_KEY" \
https://app.corcava.com/mcp
The -v flag shows request/response headers for debugging
Interpreting Results
- 200 OK: Authentication successful
- 401 Unauthorized: Authentication failed (check header format and key status)
- 403 Forbidden: Key is valid but lacks permissions (see 403 guide)
Step 5: Rotate API Keys Safely
If you need to create a new API key, follow this safe rotation process:
Safe Key Rotation Steps
- Create new key: Generate a new API key in Corcava Settings → Integrations
- Update config: Update your MCP config file with the new key
- Test new key: Verify the new key works with curl or your MCP client
- Restart client: Restart your MCP client to load the new config
- Verify tools appear: Confirm MCP tools are available with the new key
- Revoke old key: Only after confirming the new key works, revoke the old key
Important: Don't Revoke Old Key Too Soon
Keep the old key active until you've confirmed the new key works. This prevents service interruption if the new key has issues.
Key Rotation Best Practices
- Name keys descriptively: Use names like "Claude Desktop - MacBook Pro" to track usage
- Rotate regularly: Set a schedule for key rotation (e.g., every 90 days)
- One key per client: Use separate keys for different MCP clients
- Monitor key usage: Review active keys periodically and revoke unused ones
- Revoke compromised keys immediately: If a key is exposed, revoke it right away
Quick Fix Checklist
Before Contacting Support
- ✅ Authorization header format is "Bearer YOUR_API_KEY" (exact format)
- ✅ API key is active in Corcava Settings → Integrations
- ✅ No extra whitespace in the API key
- ✅ Config file JSON is valid (see Config JSON Errors)
- ✅ curl test with the key returns 200 OK (not 401)
- ✅ MCP client has been restarted after config changes
Related Troubleshooting
- 403 Forbidden - Fix permission issues after authentication succeeds
- Connection Failed - Diagnose network issues before authentication
- Config JSON Errors - Fix JSON syntax that breaks config loading
- Troubleshooting Index - Browse all troubleshooting guides