Authentication
API key and OAuth setup for the GetMint MCP server
There are two ways to authenticate to the GetMint MCP server, and they coexist — pick the one your client supports:
| Method | Best for | How you connect |
|---|---|---|
| API key | Claude Code/Desktop, Cursor, ChatGPT, the API, and any client that lets you set a request header | Paste a mint_live_ key as a Bearer header |
| OAuth | Claude.ai and ChatGPT custom connectors (web/desktop/mobile), where you connect by URL | Paste the server URL and click Connect — the client walks you through sign-in + consent |
Both grant access to the same surfaces; OAuth never breaks existing API keys. ChatGPT's custom-connector UI lets you pick either method; Claude.ai is OAuth-only and the header-based clients (Claude Code/Desktop, Cursor, Raw HTTP) are API key-only.
API key
The MCP server uses the same API keys as the GetMint REST API. One key gives you access to the REST API and the full MCP toolset (Content Studio + Insights).
Header format
Use the Authorization: Bearer header — it's the MCP spec default and works with every major client:
Authorization: Bearer mint_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXThe X-API-Key: <key> header is also supported.
Claude Code
Add the server to your .mcp.json with the key in the Authorization header:
{
"mcpServers": {
"getmint": {
"type": "http",
"url": "https://mcp.getmint.ai/mcp",
"headers": { "Authorization": "Bearer mint_live_XXXXXXXX…" }
}
}
}OAuth (Claude.ai / ChatGPT custom connector)
Claude.ai connects to a custom connector over OAuth 2.1 (its UI has nowhere to paste a key), and ChatGPT offers OAuth as one of its connector auth options. Add the connector with just the URL:
https://mcp.getmint.ai/mcpWhen you click Connect, the client discovers the GetMint authorization server, sends you to sign in to your GetMint account, and shows a consent screen listing the access it's requesting. Approve it and the connector is ready — no key to manage.
You can disconnect a connector at any time from Settings → API Access → Connected Apps in the GetMint app; revoking it immediately invalidates its tokens, and the client must be re-authorized to reconnect.
Only an organization Owner or Admin can authorize a connector — a connector token can read and write across all of your organization's data. Editors and Viewers will see a "you can't authorize this connection" screen; ask an owner/admin to set it up.
The connector requests read access to Insights and read/write access to Content Studio. The consent screen lists exactly what's requested before you approve, and the token is audience-bound to this MCP server.
Under the hood this follows the MCP authorization spec (OAuth 2.1 with PKCE, Dynamic Client Registration, and per-resource audience binding), so it also works from any other spec-compliant MCP client, not just Claude.
Key management
MCP keys can trigger credit-consuming actions (brief creation, content generation). Treat them like production secrets.
- One key per integration. Revoking a shared key breaks every caller at once.
- Never commit keys to a repo. Use your OS keychain, a secrets manager, or a
.env.localignored from git. - Rotate immediately on exposure from Settings → API Keys. The old key stops working the moment you revoke it.
- Use
mint_test_keys while you prototype. They run against the test environment with sandbox credits.
Rate limits
All MCP calls count against the same global rate limit as REST: 200 requests per minute per key.
A single MCP tool call is typically one API request, so MCP does not multiply your request budget.