Skip to main content

Authentication

All RouteMCP API requests are authenticated using API keys. Include your key in the Authorization header as a Bearer token with every request: 
curl http://localhost:5001/api/v1/contact?provider=hubspot \
  -H "Authorization: Bearer sk_live_your_api_key"

Getting an API Key

API keys are managed from the RouteMCP dashboard:
  1. Log in to your dashboard at https://app.routemcp.com
  2. Navigate to API Keys
  3. Click Generate New Key
  4. Choose live (production) or test (sandbox) environment
  5. Copy the key — it’s only shown once

Key Types

PrefixEnvironmentDescription
sk_live_ProductionReal data from connected providers
sk_test_SandboxTest data, safe for development
Use sk_test_ keys during development and integration testing. Switch to sk_live_ keys for production.

Making Requests

cURL

curl http://localhost:5001/api/v1/contact?provider=hubspot \
  -H "Authorization: Bearer sk_live_your_api_key"

JavaScript (fetch)

const response = await fetch(
  "http://localhost:5001/api/v1/contact?provider=hubspot",
  {
    headers: {
      "Authorization": `Bearer ${process.env.ROUTERMCP_API_KEY}`,
    },
  }
);

const { data } = await response.json();

Python (requests)

import os
import requests

response = requests.get(
    "http://localhost:5001/api/v1/contacts",
    params={"provider": "hubspot"},
    headers={"Authorization": f"Bearer {os.environ['ROUTERMCP_API_KEY']}"},
)

data = response.json()["data"]

Security Best Practices

  1. Never expose API keys in client-side code — keep them server-side only
  2. Use environment variables — don’t hardcode keys in source code
  3. Use test keys for developmentsk_test_ keys access sandbox data
  4. Rotate keys periodically — generate a new key from the dashboard and revoke the old one
  5. Use separate keys per environment — different keys for staging vs production

Error Responses

StatusCodeDescription
401INVALID_API_KEYThe API key is missing, malformed, or revoked. Check the Authorization: Bearer header.
429RATE_LIMITEDToo many requests — see Rate Limits
{
  "success": false,
  "statusCode": 401,
  "message": "Invalid or missing API key",
  "code": "INVALID_API_KEY"
}