Getting Started

Authentication

Zeeb MCP supports two authentication methods: direct bearer tokens (API keys) and OAuth 2.0 (for clients like Lovable that require interactive authorization).

API keys (bearer tokens)

The primary way to authenticate. API keys are long-lived credentials scoped to your tenant.

Key format

All Zeeb API keys start with zb_:

zb_a1b2c3d4e5f6...

Using an API key

Pass the key as a Bearer token in the Authorization header on every MCP request:

Authorization: Bearer zb_your_key_here

In MCP client config:

{
  "mcpServers": {
    "zeeb": {
      "url": "https://mcp.zeeb.cloud/mcp",
      "headers": {
        "Authorization": "Bearer zb_your_key_here"
      }
    }
  }
}

Creating API keys

  1. Sign in to the portal at zeeb.cloud/login
  2. Go to API Keys in the sidebar
  3. Click New API key, give it a descriptive name
  4. Copy the key — it is shown only once and cannot be retrieved later
  5. The copy-ready config snippet is shown immediately after creation

Key management

  • Keys can be revoked at any time from the portal — revocation is instant
  • Each key is tied to your tenant; a revoked key cannot be used by anyone
  • Create separate keys per client (one for Claude, one for Cursor, etc.) for easier auditing

OAuth 2.0

OAuth is used by clients that require interactive authorization, such as Lovable. The gateway exposes a standard MCP OAuth flow.

OAuth discovery

The gateway publishes OAuth metadata at:

GET https://mcp.zeeb.cloud/.well-known/oauth-authorization-server
GET https://mcp.zeeb.cloud/.well-known/oauth-protected-resource

Authorization flow

  1. Your MCP client discovers the OAuth metadata
  2. It redirects you to https://mcp.zeeb.cloud/mcp/authorize
  3. You enter your Zeeb API key (or portal credentials) in the login form
  4. The gateway issues an authorization code and redirects back to the client
  5. The client exchanges the code for a short-lived access token
  6. The client uses the access token for subsequent MCP requests

Note: Lovable only supports OAuth-based MCP connections. Direct bearer token auth does not work in Lovable — use the OAuth flow there.

Security notes

  • API keys are hashed before storage; Zeeb cannot retrieve your key if you lose it
  • Short-lived OAuth access tokens are issued per session and expire automatically
  • All MCP traffic is over HTTPS; plain HTTP connections are rejected in production
  • Rate limits are enforced per-key based on your plan's RPM limit