MCP Authentication
Authentication
Section titled “Authentication”The Nuelink MCP server authenticates using the **same API key **as the REST API. There’s no separate OAuth flow: You generate a key once, give it to your AI assistant, and every tool call uses that key.
Two ways to pass the key
Section titled “Two ways to pass the key”The MCP server accepts your API key in either of two ways. Pick whichever your client supports better:
Option 1: Query parameter on the URL
Section titled “Option 1: Query parameter on the URL”https://mcp.nuelink.com/mcp?api_key=YOUR_API_KEYOption 2: Bearer token in the Authorization header
Section titled “Option 2: Bearer token in the Authorization header”URL: https://mcp.nuelink.com/mcpHeader: Authorization: Bearer YOUR_API_KEYBoth methods are equivalent: same permissions, same brands, same data. Use Option 2 when your client supports custom headers (Cursor, Codex, Claude Desktop’s config file); use Option 1 everywhere else (Claude web/mobile, ChatGPT, Manus, and any client that only accepts a URL).
When the server receives a request, it reads the key from whichever place you put it, validates it, and proxies the call to the public API as if you’d made it yourself with
Authorization: Bearer YOUR_API_KEY.
This means:
- Anything you can do via the API, the MCP can do. Same permissions, same brands, same data.
- No OAuth round-trip. Connecting an assistant is just “paste this URL” or “paste this URL plus a header.”
- One key, every assistant. Use the same key in Claude, ChatGPT, Cursor, Manus, Codex, anywhere.
Generating an API key
Section titled “Generating an API key”- Go to Settings → API in your Nuelink dashboard.
- Click Generate API key.
- Copy the key immediately, you won’t be able to view it again after closing the screen.
- Paste it into your MCP URL (or your client’s header config).
For full details on the API key itself (format, expiration, and error responses) see the API Authentication page.
Revoking access
Section titled “Revoking access”Because the MCP server has no separate session of its own, revoking access means deleting the API key:
- Go to Settings → API.
- Find the key you used for MCP and click Delete.
The next time any assistant tries to call a Nuelink tool with that key, it’ll get a 401 Token has been revoked response. The assistant typically surfaces this as “your Nuelink connection has expired, please reconnect.”
To reconnect, generate a new key and update it everywhere you used the old one.
Rotating your key
Section titled “Rotating your key”Same flow as revoking: delete the old key, generate a new one, update every assistant that was using it. We don’t have automatic rotation in the alpha.
A few tips:
- Use one key per assistant if you want to revoke selectively (for example, you connected Nuelink to a teammate’s Claude and want to cut just that off without touching your own Cursor setup).
- Use one key for everything if you’d rather have a single thing to revoke if you ever need to. Both approaches are fine; pick what matches your threat model.
Which method should you pick?
Section titled “Which method should you pick?”If your client supports both (Cursor, Codex, Claude Desktop config), header-based auth is slightly safer the key doesn’t end up in URL bars, server access logs, or screenshots of the connector list. It also makes config files easier to commit without leaks (the URL can be public; the header lives next to it).
If your client only accepts a URL (Claude web/mobile, ChatGPT, Manus), the query-param method is what you’ll use. Both are secure in transit (HTTPS).
Multi-brand and team accounts
Section titled “Multi-brand and team accounts”If your Nuelink account has access to multiple brands, because you’re on a Business or Agency plan, or because you’ve been added to someone else’s team, the API key inherits all of them. The MCP server sees every brand the key has access to.
The key is scoped to your user, not the workspace. If you leave a team, your key loses access to that team’s brands.
Rate limits
Section titled “Rate limits”MCP tool calls share the same rate limits as the underlying API. See Rate Limits for current numbers. If you hit a limit, the assistant will see a 429 response and usually suggest retrying in a moment.
Security notes
Section titled “Security notes”- Treat the key like a password. Whether you put it in the URL or a header, anyone who has it can publish on your behalf.
- Don’t commit it to version control. Cursor and Codex configs live in files on your machine, if those files are inside a Git repo, add them to
.gitignore. - Don’t share screenshots that include the URL if you’re using the query-param method. The key is right there in plain text.
- Server-side logs. Nuelink’s MCP server doesn’t log full URLs (the key is stripped before any request enters log storage), but you should still avoid exposing it elsewhere.
Troubleshooting
Section titled “Troubleshooting””Token is required” (401)
Section titled “”Token is required” (401)”The MCP URL is missing both the api_key query param and the Authorization header. Add one of them.
”Token is invalid” (401)
Section titled “”Token is invalid” (401)”The key was copied incorrectly or never existed. Generate a fresh one from Settings → API.
”Token has been revoked” (401)
Section titled “”Token has been revoked” (401)”The key was deleted from your Nuelink dashboard. Generate a new one and update it everywhere you used it.
”I connected but the tools aren’t showing up.”
Section titled “”I connected but the tools aren’t showing up.””Make sure you approved the tools in the assistant’s permission UI. Some clients (especially Cursor and ChatGPT) need a restart or refresh after first connection.
”I’m on a team account and don’t see my agency’s brands.”
Section titled “”I’m on a team account and don’t see my agency’s brands.””The API key inherits your team role. If you have read-only access to a brand on Nuelink, you’ll see it via MCP but won’t be able to post to it. Ask your admin to upgrade your role.
Still stuck? Email support@nuelink.com and mention MCP in the subject line.