Setup
Private MCP endpoint setup checklist
Set up a private Astrail MCP endpoint with API keys, hidden metadata, allowed tools, credentials, and production verification.
Symptom
You need a generated MCP endpoint that only approved clients can discover and call.
First check
Confirm the server is private, public metadata is filtered, and every client has a scoped Astrail API key.
Quick fix
Set the endpoint private, create a fresh API key, configure the MCP client Authorization header, and run initialize plus tools/list.
Start with endpoint visibility
Private endpoints should require an Astrail API key for initialize, tools/list, and tools/call. Public catalog metadata should not reveal private tool names, internal paths, credentials, or generated SDK details.
Create client-specific keys
Use separate keys for local testing, staging, production agents, and automation. That makes rotation easier and helps you isolate a noisy or compromised client without taking every integration offline.
Attach upstream credentials separately
Provider API keys, OAuth tokens, and customer secrets should live in Astrail credentials storage or your backend secret manager. They should not appear in generated tool descriptions or MCP client config.
Verify before sharing the URL
Run initialize, tools/list, one safe tools/call, one unauthorized request, and one invalid argument request. A private endpoint is ready when valid clients work and invalid clients fail clearly.
FAQ
Can the same MCP URL be used by multiple clients?
Yes, but give each production client its own API key so usage and rotation are not coupled.
Should tools/list expose private operations?
Only to authorized clients. Anonymous public metadata should stay filtered for private endpoints.