Setup

Private MCP endpoint setup checklist

Set up a private Astrail MCP endpoint with API keys, hidden metadata, allowed tools, credentials, and production verification.

Symptom

You need a generated MCP endpoint that only approved clients can discover and call.

First check

Confirm the server is private, public metadata is filtered, and every client has a scoped Astrail API key.

Quick fix

Set the endpoint private, create a fresh API key, configure the MCP client Authorization header, and run initialize plus tools/list.

1

Start with endpoint visibility

Private endpoints should require an Astrail API key for initialize, tools/list, and tools/call. Public catalog metadata should not reveal private tool names, internal paths, credentials, or generated SDK details.

2

Create client-specific keys

Use separate keys for local testing, staging, production agents, and automation. That makes rotation easier and helps you isolate a noisy or compromised client without taking every integration offline.

3

Attach upstream credentials separately

Provider API keys, OAuth tokens, and customer secrets should live in Astrail credentials storage or your backend secret manager. They should not appear in generated tool descriptions or MCP client config.

4

Verify before sharing the URL

Run initialize, tools/list, one safe tools/call, one unauthorized request, and one invalid argument request. A private endpoint is ready when valid clients work and invalid clients fail clearly.

FAQ

Can the same MCP URL be used by multiple clients?

Yes, but give each production client its own API key so usage and rotation are not coupled.

Should tools/list expose private operations?

Only to authorized clients. Anonymous public metadata should stay filtered for private endpoints.

Related runbooks