Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kataven.ai/llms.txt

Use this file to discover all available pages before exploring further.

The sk_live_ API key in your MCP config gives the AI full account scope — same surface as a CI deploy key. This page is the risk model + the practical mitigations.

Mint a separate key per AI app

hub.kataven.ai/settingsAPI KeysCreate API key. Suggested naming convention: 
claude-desktop-laptop          ← personal, stdio
cursor-work                    ← per-machine
chatgpt-tunneled               ← lives in the supergateway env
team-zapier-prod               ← shared via vault
Why per-app:
  • Revocation works without disrupting other tools. Stop using ChatGPT? Revoke its key without breaking the Cursor key.
  • Audit trails are usable. Every API call logs the key id; you can see “the deletion came from chatgpt-tunneled” not just “from one of your keys.”
  • Rotation is incremental. Bulk rotation across every AI app at once is friction; per-app keys let you rotate one at a time.

Set per-tenant cost caps

A runaway loop in any AI tool can rack up calls fast. Cost caps are the kill switch. hub.kataven.ai/settingsLimits tab. Three caps that bound kataven_originate_call, kataven_start_campaign, etc.:
  • Concurrent calls — max calls in flight at once. Useful when an AI loop fires many originate_call requests in parallel.
  • Calls per minute — burst rate.
  • Daily calls / minutes max — hard cap. The server returns 429 once you hit it; the AI sees the error and stops.
Note: editing caps requires Hub UI auth — a leaked sk_live_ cannot raise them.

Approve write tools, don’t auto-allow

Most AI clients (Claude Desktop, ChatGPT, Cursor, Warp, Windsurf) ask before executing destructive tools by default. Keep that on for:
  • kataven_originate_call — places real calls, real money.
  • kataven_start_campaign, kataven_resume_campaign — bulk dial.
  • kataven_delete_* — irreversible.
It’s tempting to set “always approve” once you trust an agent. Don’t, until you’ve watched it run for a week and seen its prompt-injection failure modes.

Where your sk_live_ actually lives

Different MCP setups put your key in different places. Knowing which matters for incident response.

Direct stdio (Claude Desktop, Cursor, Windsurf, Zed, VS Code, JetBrains, Warp, Goose, Raycast)

your laptop
├── AI app config file              ← KATAVEN_API_KEY value sits here
│   └── (e.g. claude_desktop_config.json)
└── kataven-mcp subprocess          ← reads env at startup
    └── outbound HTTPS → api.kataven.ai
The key is on disk in the AI app’s config, in plaintext. The AI vendor (Anthropic, OpenAI for Cursor, Microsoft for VS Code) does not see the key — the MCP subprocess runs locally and only the tool result (a JSON blob) goes back through the AI loop. If your laptop is compromised, the key is exposed alongside everything else on disk. Standard laptop hygiene: full-disk encryption, screen lock, don’t share configs in git.

Tunneled (ChatGPT, Claude.ai web, n8n)

your laptop
├── supergateway subprocess          ← KATAVEN_API_KEY value lives here (env var)
│   └── stdio pipe → kataven-mcp subprocess
│       └── outbound HTTPS → api.kataven.ai
└── ngrok / cloudflared
    └── public HTTPS endpoint  https://abc.ngrok.app/sse

                │ AI vendor (OpenAI / Anthropic) calls this
The AI vendor sees the tunnel URL, not the API key. The key sits in supergateway’s environment, never traversed in any request. However: anyone with the public URL during the session can hit kataven-mcp directly, gated only by what kataven-mcp itself enforces (which is “any caller can use any tool” — there’s no per-request auth on top of the env-baked key). Mitigations:
  • Random ngrok URLs aren’t a security boundary, but they’re impractical to brute-force in short sessions. For short ad-hoc work, fine.
  • Cloudflare Tunnel + Cloudflare Access (free) puts a Google/GitHub SSO gate in front of the tunnel — much stronger.
  • Shut the tunnel down when not in use. kill supergateway when the session ends, or use KeepAlive: false in launchd.
Full tunnel guide: Tunneling.

Endpoints intentionally not exposed via MCP

Four admin endpoints are deliberately not callable from MCP, even with a valid sk_live_ key:
EndpointWhy not
PUT /api/v1/call-limitsCost caps are platform-tier policy. A leaked sk_live_ shouldn’t be able to raise its own limits.
POST /api/marketplace/agentsTemplate authoring is admin-only.
POST /api/integrationsIntegration definitions are platform-curated.
DELETE /api/v1/sessions/{id}/recordingAudit trail integrity — recordings can only be deleted via Hub UI by an admin.
The server returns 403 Forbidden to sk_live_ callers on these paths, and the MCP server doesn’t list them as tools at all. Edit them at hub.kataven.ai/settings under the Limits / Integrations / etc. tabs.

Incident response

If you suspect a key leak:
  1. hub.kataven.ai/settingsAPI Keys tab → find the key by its name (claude-desktop-laptop, etc.) → Revoke. Effective immediately.
  2. Check hub.kataven.ai/conversations for unexpected recent calls.
  3. Check hub.kataven.ai/campaigns for unexpected campaigns.
  4. Mint a new key with the same name and update the AI app’s config.

See also