> ## Documentation Index
> Fetch the complete documentation index at: https://docs.murmur.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Create a long-lived credential for programmatic and CI access — a key that authenticates the CLI and MCP server as a service profile, with no GitHub login.

An API key lets a script, CI job, or automation authenticate to Murmur without a developer signing in through GitHub. The key authenticates as a [Service Profile](/concepts/service-profiles), so anything it does runs under the profile's identity and [Access Grants](/security/authorization) — not under a person.

Use an API key when:

* **A CI pipeline spawns or drives agents.** Your GitHub Actions workflow, deploy script, or cron job needs to call the [CLI](/cli/overview) or [MCP server](/mcp-server/overview) with no interactive login.
* **A bot integration runs unattended.** A long-running service calls the Murmur API on its own schedule and can't refresh a developer session.
* **You want an identity that outlives any person.** The key is bound to a Service Profile, so it keeps working when a developer leaves the team and their tokens rotate.

API keys are created from the dashboard. Each key is shown in full exactly once, at creation.

## 1. Create an API key

You create an API key against an existing [Service Profile](/security/service-profile). Create the profile first if you don't have one.

1. Sign in at [cloud.murmur.dev](https://cloud.murmur.dev).

2. Go to **Organization Settings → Permissions → API Keys**.

3. Click **Create API key** and fill in the form:

   * **Description** *(required)*: a human-readable label, such as `CI pipeline` or `nightly-deploy`. This is how you'll recognize the key in the list later.
   * **Service Profile** *(required)*: the profile the key authenticates as. The key inherits that profile's Access Grants, so it can do exactly what the profile is allowed to do — no more.

4. Click **Create API key**.

The full key appears once, in the form `mur_` followed by an identifier and a secret:

```text theme={null}
mur_3f9c1a2b7e4d8061.5b2c…<secret>
```

<Warning>
  This is the only time the full key is displayed. Copy it now and store it somewhere secure — a CI secret store, a password manager, or your platform's secret manager. If you lose it, you can't recover it; revoke the key and create a new one.
</Warning>

Check the confirmation box and click **Done**. The key now appears in the list, showing its description, a masked identifier (`mur_3f9c1a2b…`), the Service Profile it's scoped to, who created it, and when.

## 2. Use the key

A key is supplied through the `MURMUR_API_KEY` environment variable. Both the [CLI](/cli/overview) and the [MCP server](/mcp-server/overview) read it from their environment and authenticate as the key's Service Profile — no `gh auth` or [`murmur setup`](/cli/setup) required.

### From the CLI

Export the variable, then run any command:

```bash theme={null}
export MURMUR_API_KEY="mur_3f9c1a2b7e4d8061.5b2c…<secret>"
murmur ls
```

In a GitHub Actions workflow, read it from a repository secret:

```yaml theme={null}
- name: Spawn an agent
  env:
    MURMUR_API_KEY: ${{ secrets.MURMUR_API_KEY }}
  run: murmur spawn fix-flaky-test --workspace my-team --out pr
```

### From the MCP server

The [MCP server](/mcp-server/overview) is the `murmur mcp` command, so it authenticates with the same `MURMUR_API_KEY` variable — set it in the server's environment in your MCP client config. This is how you give an MCP client (Claude Code, Cursor, or any other) Murmur tools that act as the Service Profile instead of a logged-in developer.

In Claude Code, pass the key when you register the server:

```bash theme={null}
claude mcp add murmur -e MURMUR_API_KEY="mur_3f9c1a2b7e4d8061.5b2c…<secret>" -- murmur mcp
```

For a client that configures MCP servers with JSON, add the key under `env`:

```json theme={null}
{
  "mcpServers": {
    "murmur": {
      "command": "murmur",
      "args": ["mcp"],
      "env": {
        "MURMUR_API_KEY": "mur_3f9c1a2b7e4d8061.5b2c…<secret>"
      }
    }
  }
}
```

Every Murmur tool the client invokes — [`spawn`](/mcp-server/spawn), [`ls`](/mcp-server/ls), [`status`](/mcp-server/status), and the rest — then runs as the Service Profile.

When `MURMUR_API_KEY` is set, the owner of every call is the Service Profile — your personal GitHub identity is not involved.

<Note>
  `MURMUR_API_KEY` is mutually exclusive with the agent-side credentials `MURMUR_IDENTITY_TOKEN` and `MURMUR_WORKFLOW_ID`. Setting the API key alongside either of those is an error and the command fails immediately, rather than guessing which identity you meant. On a developer laptop, in CI, or in an MCP client config, set only `MURMUR_API_KEY`.
</Note>

## 3. Revoke a key

A key stays valid until you revoke it — there is no expiry.

1. Go to **Organization Settings → Permissions → API Keys**.
2. Find the key by its description and masked identifier.
3. Click the trash icon, then confirm **Revoke?**.

Revoking takes effect immediately: the next call made with that key is rejected. Revoking one key does not affect any other key for the same Service Profile, so you can rotate by creating a new key, switching your CI secret over, then revoking the old one.

## Related

<CardGroup cols={2}>
  <Card title="Service Profiles" icon="robot" href="/security/service-profile">
    Create the bot identity an API key authenticates as.
  </Card>

  <Card title="Authentication" icon="key" href="/security/authentication">
    How developers and agents authenticate to Murmur.
  </Card>

  <Card title="Authorization" icon="shield" href="/security/authorization">
    The permission model behind a Service Profile's Access Grants.
  </Card>

  <Card title="CLI overview" icon="terminal" href="/cli/overview">
    Commands the key lets you run unattended.
  </Card>
</CardGroup>