Corcava logoLe seul outil métier dont vous avez besoinCorcava
Menu
Solutions
Secteurs
DesignersRH & recrutementCabinets d'avocatsImmobilierConseilMarketing digitalComptabilitéE‑commerceDéveloppement logiciel
Produit
FonctionnalitésIntégrations
BlogTélécharger
Ressources
TemplatesDocsMCPFAQAPIComparaisonsFeuille de routeQuoi de neuf$ Programme d'affiliation
Tarifs
Essai gratuit de 14 jours

Aucune carte bancaire requise

Clés API pour MCP : bonnes pratiques pour rotation, révocation et séparation

Operational guide for managing API keys used by MCP clients. Learn how to create separate keys per machine, establish naming conventions, implement rotation schedules, handle revocation, and respond to security incidents.

Why Separate Keys Per Machine/Client?

Creating a unique API key for each AI assistant or machine provides critical security and operational benefits:

Security Benefits

  • Isolation: If one key is compromised, others remain safe
  • Granular Control: Revoke access for one client without affecting others
  • Limited Blast Radius: Compromise is contained to one device/client
  • Easier Investigation: Know exactly which key was used in an incident

Operational Benefits

  • Audit Trail: Track which client made which changes
  • Usage Monitoring: Monitor API usage per client
  • Selective Rotation: Rotate keys independently
  • Team Management: Assign keys to specific team members

Naming Conventions

Use descriptive names for your API keys to make management easier. Good naming helps you quickly identify which key to revoke or rotate.

Recommended Naming Pattern

Format: [client-name]-[machine/device]-[purpose]

  • claude-desktop-macbook-pro
  • cursor-work-laptop
  • windsurf-dev-machine
  • continue-personal-pc
  • claude-desktop-home-office

Naming Best Practices

Rotation Schedules

Regularly rotating API keys limits exposure and reduces risk. Choose a schedule based on your security requirements:

High Security: Every 30-60 Days

Recommended For:

  • Production environments with sensitive data
  • Enterprise customers with compliance requirements
  • Keys with broad access permissions
  • High-value or critical workflows

Standard: Every 90 Days

Recommended For:

  • Most team environments
  • Standard project management workflows
  • Balanced security and operational overhead

Low Risk: Every 180 Days

Recommended For:

  • Personal use or small teams
  • Read-only or low-risk operations
  • Development/testing environments

Setting Up Rotation Reminders

Create a system to track rotation schedules:

  • Calendar Reminders: Set recurring calendar events for each key
  • Task Management: Create tasks in Corcava for key rotation
  • Spreadsheet: Track key creation dates and next rotation dates
  • Automated Alerts: Use your team's notification system

Revocation Process

When you need to revoke an API key (rotation, compromise, or access removal), follow this process:

Step-by-Step Revocation

  1. Identify the Key

    Go to Corcava Settings → Integrations → Public API. Find the key you want to revoke by its name.

  2. Create Replacement Key (If Needed)

    If you're rotating (not just revoking), create the new key first and copy it securely.

  3. Update Client Configuration

    If rotating, update the MCP client's configuration file with the new key before revoking the old one.

  4. Revoke the Old Key

    In Corcava Settings → Integrations → Public API, click Delete or Revoke on the old key.

  5. Restart the Client

    If you updated the configuration, restart the AI client to load the new key.

  6. Verify Access

    Test that the client can still access Corcava (if rotating) or confirm access is blocked (if revoking).

⚠️ Important

Revoking a key immediately stops all access. The AI client will start getting 401 errors. If you're rotating, make sure you have the new key ready and the client configuration updated before revoking the old key.

Incident Response: If a Key Leaks

If you suspect an API key has been compromised or leaked, act immediately:

Immediate Actions (Within Minutes)

  1. Revoke the key immediately in Corcava Settings → Integrations → Public API
  2. Review recent activity in audit logs to identify unauthorized access
  3. Check for unauthorized changes (tasks created, data modified, time logged)
  4. Notify team members who may be affected

Investigation Steps

  1. Review Audit Logs: Check Corcava audit logs for unusual activity patterns
  2. Identify Scope: Determine what data was accessed or modified
  3. Check Timestamps: Note when unauthorized access occurred
  4. Review Changes: Examine any tasks, comments, or data that was created/modified
  5. Assess Impact: Determine if sensitive data was exposed

Recovery Steps

  1. Create New Keys: Generate new API keys for legitimate clients
  2. Update Configurations: Update all MCP client configs with new keys
  3. Restart Clients: Restart AI clients to load new keys
  4. Verify Access: Test that legitimate clients can still access Corcava
  5. Review Security Practices: Identify how the key leaked and prevent recurrence

Corcava-Specific Examples

Creating a New API Key

  1. Log in to Corcava
  2. Navigate to SettingsIntegrations
  3. Find the Public API section
  4. Click Add API Key
  5. Enter a descriptive name (e.g., claude-desktop-macbook-pro)
  6. Click Create
  7. Copy the key immediately - it's only shown once
  8. Store it securely (password manager, secure notes)

Example: Rotating a Key

Scenario: Rotating the key for Claude Desktop on your MacBook Pro (90-day rotation)

  1. Create new key: claude-desktop-macbook-pro-v2
  2. Copy the new key
  3. Update claude_desktop_config.json with new key
  4. Save the config file
  5. Restart Claude Desktop
  6. Verify tools are available
  7. Revoke old key: claude-desktop-macbook-pro
  8. Rename new key to remove "-v2" suffix (optional)

Best Practices Summary

API Key Management Checklist

  • ✅ Create separate keys for each AI client/machine
  • ✅ Use descriptive, consistent naming conventions
  • ✅ Rotate keys regularly (every 90 days recommended)
  • ✅ Set up rotation reminders (calendar, tasks, alerts)
  • ✅ Revoke keys immediately if compromised
  • ✅ Never commit API keys to version control
  • ✅ Store keys securely (password manager, env variables)
  • ✅ Review audit logs regularly
  • ✅ Have an incident response plan ready
  • ✅ Document key purposes and owners

Additional Resources

MCP Security Guide

Complete security best practices for MCP integrations

Least-Privilege Workflows

Design safe write workflows with confirmation patterns

Secure Your MCP Integration

Follow these practices to keep your API keys safe

Start Free Trial →Security Guide

Aucune carte bancaire requise