Skip to main content
An API key lets a script, CI job, or automation authenticate to Murmur without a developer signing in through GitHub. The key authenticates as a Service Profile, so anything it does runs under the profile’s identity and Access Grants — not under a person. Use an API key when:
  • A CI pipeline spawns or drives agents. Your GitHub Actions workflow, deploy script, or cron job needs to call the CLI or MCP server with no interactive login.
  • A bot integration runs unattended. A long-running service calls the Murmur API on its own schedule and can’t refresh a developer session.
  • You want an identity that outlives any person. The key is bound to a Service Profile, so it keeps working when a developer leaves the team and their tokens rotate.
API keys are created from the dashboard. Each key is shown in full exactly once, at creation.

1. Create an API key

You create an API key against an existing Service Profile. Create the profile first if you don’t have one.
  1. Sign in at cloud.murmur.dev.
  2. Go to Organization Settings → Permissions → API Keys.
  3. Click Create API key and fill in the form:
    • Description (required): a human-readable label, such as CI pipeline or nightly-deploy. This is how you’ll recognize the key in the list later.
    • Service Profile (required): the profile the key authenticates as. The key inherits that profile’s Access Grants, so it can do exactly what the profile is allowed to do — no more.
  4. Click Create API key.
The full key appears once, in the form mur_ followed by an identifier and a secret: 
mur_3f9c1a2b7e4d8061.5b2c…<secret>
This is the only time the full key is displayed. Copy it now and store it somewhere secure — a CI secret store, a password manager, or your platform’s secret manager. If you lose it, you can’t recover it; revoke the key and create a new one.
Check the confirmation box and click Done. The key now appears in the list, showing its description, a masked identifier (mur_3f9c1a2b…), the Service Profile it’s scoped to, who created it, and when.

2. Use the key

A key is supplied through the MURMUR_API_KEY environment variable. Both the CLI and the MCP server read it from their environment and authenticate as the key’s Service Profile — no gh auth or murmur setup required.

From the CLI

Export the variable, then run any command: 
export MURMUR_API_KEY="mur_3f9c1a2b7e4d8061.5b2c…<secret>"
murmur ls
In a GitHub Actions workflow, read it from a repository secret: 
- name: Spawn an agent
  env:
    MURMUR_API_KEY: ${{ secrets.MURMUR_API_KEY }}
  run: murmur spawn fix-flaky-test --workspace my-team --out pr

From the MCP server

The MCP server is the murmur mcp command, so it authenticates with the same MURMUR_API_KEY variable — set it in the server’s environment in your MCP client config. This is how you give an MCP client (Claude Code, Cursor, or any other) Murmur tools that act as the Service Profile instead of a logged-in developer. In Claude Code, pass the key when you register the server: 
claude mcp add murmur -e MURMUR_API_KEY="mur_3f9c1a2b7e4d8061.5b2c…<secret>" -- murmur mcp
For a client that configures MCP servers with JSON, add the key under env: 
{
  "mcpServers": {
    "murmur": {
      "command": "murmur",
      "args": ["mcp"],
      "env": {
        "MURMUR_API_KEY": "mur_3f9c1a2b7e4d8061.5b2c…<secret>"
      }
    }
  }
}
Every Murmur tool the client invokes — spawn, ls, status, and the rest — then runs as the Service Profile. When MURMUR_API_KEY is set, the owner of every call is the Service Profile — your personal GitHub identity is not involved.
MURMUR_API_KEY is mutually exclusive with the agent-side credentials MURMUR_IDENTITY_TOKEN and MURMUR_WORKFLOW_ID. Setting the API key alongside either of those is an error and the command fails immediately, rather than guessing which identity you meant. On a developer laptop, in CI, or in an MCP client config, set only MURMUR_API_KEY.

3. Revoke a key

A key stays valid until you revoke it — there is no expiry.
  1. Go to Organization Settings → Permissions → API Keys.
  2. Find the key by its description and masked identifier.
  3. Click the trash icon, then confirm Revoke?.
Revoking takes effect immediately: the next call made with that key is rejected. Revoking one key does not affect any other key for the same Service Profile, so you can rotate by creating a new key, switching your CI secret over, then revoking the old one.

Service Profiles

Create the bot identity an API key authenticates as.

Authentication

How developers and agents authenticate to Murmur.

Authorization

The permission model behind a Service Profile’s Access Grants.

CLI overview

Commands the key lets you run unattended.