Skip to main content
GetMCP handles authentication at two levels:
  1. Outbound authentication — Credentials used by tools when calling external APIs
  2. Inbound authentication — Protection for your MCP endpoint so only authorized clients can connect

Outbound Authentication (Tools)

Each tool can have its own authentication configuration for the external API it calls.

None

For public APIs that require no authentication: 
Auth Type: none

API Key

Sends an API key to the external API. You can control where the key is placed:
LocationExample
HeaderX-API-Key: your_key
Query param?api_key=your_key
Custom headerAuthorization: ApiKey your_key
Configuration: 
{
  "key_name": "X-API-Key",
  "key_value": "your_api_key_here",
  "key_location": "header"
}

Bearer Token

Sends a Authorization: Bearer <token> header: 
{
  "token": "your_bearer_token_here"
}

Basic Auth

Sends Base64-encoded username:password in the Authorization header: 
{
  "username": "your_username",
  "password": "your_password"
}

OAuth 2.0 (Client Credentials)

Fetches an access token using the client credentials flow and automatically refreshes it when it expires: 
{
  "token_url": "https://api.example.com/oauth/token",
  "client_id": "your_client_id",
  "client_secret": "your_client_secret",
  "scope": "read write"
}
GetMCP caches the token and automatically requests a new one before it expires.

Test Credentials

Each server supports a separate set of test credentials — outbound authentication used only when you run tool tests from the admin panel. This lets you:
  • Test against a sandbox/staging environment without modifying production credentials
  • Verify tool behavior safely before going live
Configure test credentials in the server settings under Test Auth.

Credential Security

All credentials are encrypted at rest using libsodium (sodium_crypto_secretbox), which is built into PHP 8.0+. Credentials are:
  • Stored encrypted in the WordPress database
  • Decrypted only in memory during tool execution
  • Never logged or exposed in responses (sensitive values are redacted in call logs)

Inbound Authentication (MCP Endpoint)

Protect your MCP endpoint so only authorized AI clients can connect.

None (Default)

The MCP endpoint is publicly accessible to anyone with the URL. Suitable for:
  • Local development
  • Internal networks
  • Non-sensitive tools
For production deployments exposing third-party API credentials, always use inbound authentication. Your server URL may be shared or discovered.

API Key

AI clients must include an API key in the Authorization header: 
Authorization: Bearer your_mcp_api_key
To generate an API key, go to Server Settings > Authentication > API Keys and click Add Key. Configure your AI client to send the key: 
{
  "mcpServers": {
    "my-server": {
      "url": "https://yoursite.com/mcp/my-server/abc123",
      "headers": {
        "Authorization": "Bearer your_mcp_api_key"
      }
    }
  }
}

OAuth 2.0

For enterprise deployments, configure OAuth 2.0 server-side to issue access tokens to authorized clients.

Admin REST API Authentication

The GetMCP admin REST API (under /wp-json/getmcp/v1/) uses GetMCP API key authentication for programmatic access. See the API Reference for details on generating and using your API key.