Add MCP API key management tool

[IlyaasK]

Summary

• add manage_api_keys MCP tool for create/list/get/update/delete
• support project-scoped API-key creation via project_id and optional days_to_expire
• wire the API-key capability into MCP registration after projects

Validation

• bunx prettier --write src/lib/mcp/tools/api-keys.ts src/lib/mcp/register.ts
• git diff --check
• KERNEL_CLI_PROD_CLIENT_ID=dummy-prod KERNEL_CLI_STAGING_CLIENT_ID=dummy-staging KERNEL_CLI_DEV_CLIENT_ID=dummy-dev NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_Y2xlcmsuZXhhbXBsZS5jb20k bun run build
• localhost MCP CRUD smoke against http://127.0.0.1:3002/mcp with API_BASE_URL=http://127.0.0.1:3001: initialized MCP, verified manage_api_keys was listed, created a scratch project, created a project-scoped API key, confirmed plaintext key is returned on create only, got/updated/listed/deleted the key, then deleted the scratch project

Notes

• bun run format:check still fails on pre-existing AGENTS.md formatting outside this PR scope.

---

Note

High Risk
Introduces programmatic create/delete of API credentials over MCP; create returns full plaintext keys, which is high-impact if MCP auth or tool access is misconfigured.

Overview
Exposes Kernel API key lifecycle to MCP clients via a new manage_api_keys tool, registered in registerMcpCapabilities immediately after project tools.

Agents can create org-wide or project-scoped keys (optional project_id, days_to_expire up to 3650 or no expiry), list/get masked metadata with pagination, update names, and delete keys. Create responses include the plaintext secret once; other actions return masked JSON. Calls use the authenticated MCP token through createKernelClient and mirror the existing manage_projects action/switch pattern.

^{Reviewed by Cursor Bugbot for commit 8849607. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mcp	Ready	Preview, Comment	May 29, 2026 7:37pm

[firetiger-agent]

Monitoring Plan: API key management via MCP tool

What this PR does: Lets AI agents create, list, rename, and delete Kernel API keys directly through the MCP protocol, without leaving their context.

Intended effect:

• POST /org/api_keys success rate: baseline 100% (9 of 9 creates succeeded over 7 days); confirmed if new MCP-originated creates return HTTP 201 with zero 5xx.
• GET /org/api_keys availability: baseline 0 server errors (24 requests, 0 errors over 7 days); confirmed if list/get calls return 200 without error.

Risks:

• Auth token not forwarded - GET /org/api_keys 401 rate, alert if > 20% of calls return 401/403 over any 30-minute window post-deploy.
• Create/delete 500s - /org/api_keys POST or /org/api_keys/{id} DELETE 5xx count, alert if any HTTP 500 appears (baseline: 0 over 7 days).
• MCP server startup failure - kernel-mcp-server pod health, alert if crash loop or health check failure occurs within 5 minutes of deploy.

Status updates will be posted automatically on this PR as monitoring progresses.

View monitor