AI makes mistakes! Undisk makes recovery instant: every write is versioned, every file is reversible.
See it heal →

Authentication

All MCP connections require an API key. Get your key at /keys after signing up. 
Authorization: Bearer sk_live_...   ← canonical header
x-api-key: sk_live_...              ← also accepted (equivalent)
Both headers are first-class. If both are present, Authorization takes precedence. WebSocket connections use query-string auth (?token=...). API keys are shown once at creation and stored as SHA-256 hashes. If you lose your key, regenerate at /keys — this rotates account-level keys and leaves workspace-scoped keys unchanged.

Key scope

  • API keys are scoped to a user account, then authorized per workspace.
  • Use list_workspaces to discover every workspace the key can access.
  • A workspace-scoped key can only target its bound workspace; query/header workspace selectors cannot override it.
  • Account-level keys can route across accessible workspaces. If an explicit workspace is invalid or inaccessible, Undisk falls back to the default workspace.

Safe rotation pattern

⚠️ Key rotation warning: API key validations are cached for up to 5 minutes (KV TTL). After revoking or regenerating a key, the old key may remain valid for up to 5 minutes. Plan key rotations accordingly — do not assume instant revocation.
  1. Create a new key at /keys.
  2. Roll the new key out to all clients and agents.
  3. Verify traffic is healthy on the new key.
  4. Wait at least 5 minutes for auth cache expiry.
  5. Revoke the old key.