egk_,
scoped to a single workspace, and shown in full only once at creation.
Mint a key
Only workspace admins can create keys.1
Open API key settings
Sign in at app.enokilabs.ai and go to
Settings → API Keys.
2
Create a key
Click Create, give it a name, and select the scopes it needs (see below).
The default selection is
read + write.3
Copy it once
The full key (
egk_…) is shown once. Copy it and store it securely — you
can’t retrieve it again, only rotate or revoke it. The dashboard afterwards
shows just the egk_XXXX prefix for identification.Scopes
A key carries one or more scopes. Grant the narrowest set that does the job.
Scopes are hierarchical:
admin implies read + write + test:run; write
implies monitoring:write; read implies monitoring:read. Crucially, write
does not imply read — they are independent.
Which scope each MCP tool needs
Rotate and revoke
1
Rotate
Rotating issues a new key and keeps the old one valid for a grace period
(default 24 hours) so you can swap it in without downtime, then the old key
stops working. The new key is shown once, same as creation.
2
Revoke
Revoking disables a key immediately. Use it when a key is no longer needed or
may be exposed.
Key hygiene
- Least privilege. Grant only the scopes needed — never default to
admin. - Keys live in config files. MCP clients store the key in a config file on disk (see Connect your agent), so treat it like any other secret and prefer a scoped, rotatable key.
- One key per use. Separate keys for separate consumers (a developer’s Claude Code vs a CI pipeline) so you can rotate or revoke one without disrupting the other.