Authentication

API keys, OAuth flow, rate limits, and security best practices for accessing Investra tools.

API Keys

API keys are the primary way to authenticate with the Investra MCP server. Each key is tied to your account and determines which tools you can access based on your plan.

How to generate a key:

  1. Log in to investraapp.com.
  2. Navigate to Profile > Developer.
  3. Click Generate API Key.
  4. Copy the key immediately — it will not be shown again.

Key format: All keys begin with the prefix inv_ followed by a random alphanumeric string (e.g. inv_abc123def456...).

You can have one active API key at a time. Generating a new key will not revoke your existing key — you must revoke it manually if you want to rotate.

Using API Keys with MCP

When connecting through an MCP client (Claude Code, Claude Desktop, claude.ai), the client handles authentication for you after you enter your API key during setup. Under the hood, the key is sent as a Bearer token in the Authorization header: 

Authorization: Bearer inv_your_api_key_here

If you are building a custom MCP client or making direct HTTP requests, include this header with every request to https://www.investraapp.com/api/mcp.

OAuth 2.0 Flow

For HTTP transport MCP connections, Investra supports the standard OAuth 2.0 authorization code flow. This is handled automatically by compliant MCP clients, but here is the flow for reference:

  1. The MCP client redirects the user to the Investra authorize endpoint.
  2. The user logs in and grants access.
  3. Investra redirects back to the client with an authorization code.
  4. The client exchanges the code for an access token at the token endpoint.
  5. The access token is used in subsequent MCP requests as a Bearer token.

Most users will not need to interact with the OAuth flow directly. MCP clients like Claude Code and Claude Desktop handle the entire flow behind the scenes when you authenticate via /mcp or the settings UI.

Rate Limits

API requests are rate-limited based on your plan tier. Rate limits apply per API key and are measured in requests per minute.

PlanRequests / MinuteDaily Limit
Free10100
Pro301,000
Pro Plus605,000

When you exceed the rate limit, the server responds with HTTP 429 Too Many Requests. The response includes a Retry-After header indicating how many seconds to wait before retrying.

For full plan details and pricing, visit investraapp.com/pricing.

Security Best Practices

  • Never share your API key publicly. Do not post it in GitHub issues, Discord, or forums.
  • Do not commit keys to source control. Use environment variables or a secrets manager instead of hardcoding keys in your code.
  • Rotate keys regularly. If you suspect a key has been compromised, revoke it immediately and generate a new one.
  • Use environment variables. Store your key in an environment variable like INVESTRA_API_KEY and reference it in your configuration.
  • Limit key exposure. Only share your API key with trusted applications and services.
# Example: Store key in environment variable
export INVESTRA_API_KEY="inv_your_api_key_here"

Revoking Keys

If you need to revoke an API key (for example, if it has been leaked or you want to rotate it):

  1. Log in to investraapp.com.
  2. Navigate to Profile > Developer.
  3. Click Revoke next to the key you want to disable.
  4. Confirm the revocation.

Once revoked, any MCP connection using that key will immediately stop working. You will need to generate a new key and re-authenticate your MCP clients.

Revoking a key is immediate and irreversible. Make sure you have a new key ready before revoking your current one if you want to avoid downtime.

← PreviousAPI Reference