Skip to main content

API Management Endpoints

All server management API requests require authentication: 
Authorization: Bearer YOUR_API_KEY  # Required
x-alloy-userid: YOUR_USER_ID        # Optional when using API key
Alternative with JWT: 
x-alloy-user-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

MCP Protocol Endpoints

Two authentication methods available:
1

Token URL

No additional headers needed:
https://mcp.runalloy.com/mcp/{serverId}/{accessToken}
2

API Key

Requires authentication headers:
https://mcp.runalloy.com/mcp/{serverId}
Authorization: Bearer YOUR_API_KEY
x-alloy-userid: YOUR_USER_ID

JWT User Isolation

Servers support automatic userId extraction from JWT tokens:
  • When using x-alloy-user-token header with a JWT
  • The server extracts the userId from the JWT payload
  • Each JWT user gets isolated data based on their JWT userId
Example: 
curl -X POST https://mcp.runalloy.com/mcp/{serverId}/{token} \
  -H "x-alloy-user-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc": "2.0", "method": "tools/call", "params": {...}, "id": 1}'

Security Best Practices

  1. Never share your API key or token URL - Treat them like passwords
  2. Rotate keys regularly - Generate new keys periodically
  3. Use restrictions - Limit what each server can access
  4. Monitor usage - Check logs for unexpected activity
  5. Store credentials securely - Use environment variables or secret managers
I