> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kataven.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Kataven MCP — security, key scoping, blast radius

> Your sk_live_ API key is full account scope when handed to Claude / ChatGPT / Cursor / etc. via MCP. Mint per-app keys, set cost caps, understand where the credential actually lives.

The `sk_live_` API key in your MCP config gives the AI **full account scope** — same surface as a CI deploy key. This page is the risk model + the practical mitigations.

## Mint a separate key per AI app

[hub.kataven.ai/settings](https://hub.kataven.ai/settings) → **API Keys** → **Create API key**. Suggested naming convention:

```
claude-desktop-laptop          ← personal, stdio
cursor-work                    ← per-machine
chatgpt-tunneled               ← lives in the supergateway env
team-zapier-prod               ← shared via vault
```

Why per-app:

* **Revocation works without disrupting other tools.** Stop using ChatGPT? Revoke its key without breaking the Cursor key.
* **Audit trails are usable.** Every API call logs the key id; you can see "the deletion came from `chatgpt-tunneled`" not just "from one of your keys."
* **Rotation is incremental.** Bulk rotation across every AI app at once is friction; per-app keys let you rotate one at a time.

## Set per-tenant cost caps

A runaway loop in any AI tool can rack up calls fast. Cost caps are the kill switch.

[hub.kataven.ai/settings](https://hub.kataven.ai/settings) → **Limits** tab. Three caps that bound `kataven_originate_call`, `kataven_start_campaign`, etc.:

* **Concurrent calls** — max calls in flight at once. Useful when an AI loop fires many `originate_call` requests in parallel.
* **Calls per minute** — burst rate.
* **Daily calls / minutes max** — hard cap. The server returns `429` once you hit it; the AI sees the error and stops.

Note: editing caps requires Hub UI auth — a leaked `sk_live_` cannot raise them.

## Approve write tools, don't auto-allow

Most AI clients (Claude Desktop, ChatGPT, Cursor, Warp, Windsurf) ask before executing destructive tools by default. Keep that on for:

* `kataven_originate_call` — places real calls, real money.
* `kataven_start_campaign`, `kataven_resume_campaign` — bulk dial.
* `kataven_delete_*` — irreversible.

It's tempting to set "always approve" once you trust an agent. Don't, until you've watched it run for a week and seen its prompt-injection failure modes.

## Where your `sk_live_` actually lives

Different MCP setups put your key in different places. Knowing which matters for incident response.

### Direct stdio (Claude Desktop, Cursor, Windsurf, Zed, VS Code, JetBrains, Warp, Goose, Raycast)

```
your laptop
├── AI app config file              ← KATAVEN_API_KEY value sits here
│   └── (e.g. claude_desktop_config.json)
└── kataven-mcp subprocess          ← reads env at startup
    └── outbound HTTPS → api.kataven.ai
```

The key is on disk in the AI app's config, in plaintext. The AI vendor (Anthropic, OpenAI for Cursor, Microsoft for VS Code) **does not see the key** — the MCP subprocess runs locally and only the tool result (a JSON blob) goes back through the AI loop.

If your laptop is compromised, the key is exposed alongside everything else on disk. Standard laptop hygiene: full-disk encryption, screen lock, don't share configs in git.

### Tunneled (ChatGPT, Claude.ai web, n8n)

```
your laptop
├── supergateway subprocess          ← KATAVEN_API_KEY value lives here (env var)
│   └── stdio pipe → kataven-mcp subprocess
│       └── outbound HTTPS → api.kataven.ai
└── ngrok / cloudflared
    └── public HTTPS endpoint  https://abc.ngrok.app/sse
                ▲
                │ AI vendor (OpenAI / Anthropic) calls this
```

The AI vendor sees the **tunnel URL**, not the API key. The key sits in supergateway's environment, never traversed in any request.

**However**: anyone with the public URL during the session can hit `kataven-mcp` directly, gated only by what kataven-mcp itself enforces (which is "any caller can use any tool" — there's no per-request auth on top of the env-baked key). Mitigations:

* **Random ngrok URLs aren't a security boundary**, but they're impractical to brute-force in short sessions. For short ad-hoc work, fine.
* **Cloudflare Tunnel + Cloudflare Access** (free) puts a Google/GitHub SSO gate in front of the tunnel — much stronger.
* **Shut the tunnel down when not in use.** `kill` supergateway when the session ends, or use `KeepAlive: false` in launchd.

Full tunnel guide: [Tunneling](/sdks/mcp/tunneling).

## Endpoints intentionally not exposed via MCP

Four admin endpoints are deliberately not callable from MCP, even with a valid `sk_live_` key:

| Endpoint                                 | Why not                                                                                            |
| ---------------------------------------- | -------------------------------------------------------------------------------------------------- |
| `PUT /api/v1/call-limits`                | Cost caps are platform-tier policy. A leaked sk\_live\_ shouldn't be able to raise its own limits. |
| `POST /api/marketplace/agents`           | Template authoring is admin-only.                                                                  |
| `POST /api/integrations`                 | Integration definitions are platform-curated.                                                      |
| `DELETE /api/v1/sessions/{id}/recording` | Audit trail integrity — recordings can only be deleted via Hub UI by an admin.                     |

The server returns `403 Forbidden` to `sk_live_` callers on these paths, and the MCP server doesn't list them as tools at all. Edit them at [hub.kataven.ai/settings](https://hub.kataven.ai/settings) under the **Limits** / **Integrations** / etc. tabs.

## Incident response

If you suspect a key leak:

1. [hub.kataven.ai/settings](https://hub.kataven.ai/settings) → **API Keys** tab → find the key by its name (`claude-desktop-laptop`, etc.) → **Revoke**. Effective immediately.
2. Check [hub.kataven.ai/conversations](https://hub.kataven.ai/conversations) for unexpected recent calls.
3. Check [hub.kataven.ai/campaigns](https://hub.kataven.ai/campaigns) for unexpected campaigns.
4. Mint a new key with the same name and update the AI app's config.

## See also

* [Authentication](/authentication) — sk\_live\_ vs JWT, when each is required.
* [Tunneling](/sdks/mcp/tunneling) — risks specific to the public-tunnel path.
* [Manage with AI overview](/guides/ai-agents) — picking between MCP and direct-SDK paths.
