API Keys

Your CodeLoop API key authenticates the MCP server with our backend. This page covers everything about managing your keys.

Generating a Key

Via the Browser Auth Flow (Recommended)

The fastest path. npx codeloop auth opens codeloop.tech/cli-auth, where you sign in (GitHub / Google / Apple / email) and approve the request. The browser hands a fresh key back to the CLI over a one-time loopback callback — no copy-paste, no environment-variable surgery. The key is saved to ~/.codeloop/config.json and automatically picked up by the MCP server.

npx codeloop auth

# rotate the key from the same flow
npx codeloop auth --rotate

# headless / firewalled box: fall back to email + password
npx codeloop auth --no-browser

Via the Dashboard

1. Log in at codeloop.tech/dashboard/keys
2. Click Create New Key
3. Give it a name (e.g., “Work Laptop”)
4. Copy the key immediately — it's shown only once

Via the CLI

# If you already have an account
npx codeloop login
# Then generate a key
npx codeloop keys create --name "Work Laptop"

# If you're new, signup creates your first key automatically
npx codeloop signup

Free OSS plan

Maintainer of an open-source project? Apply at /oss-application. The form verifies your repo (OSI-approved license, public, recent activity) and provisions a Team-tier key automatically when checks pass. See Billing & usage for OSS eligibility details.

Setting the Environment Variable

The MCP server reads your key from the CODELOOP_API_KEY environment variable.

macOS (zsh)

# Add to ~/.zshrc
echo 'export CODELOOP_API_KEY="cl_live_your_key_here"' >> ~/.zshrc
source ~/.zshrc

Linux (bash)

# Add to ~/.bashrc
echo 'export CODELOOP_API_KEY="cl_live_your_key_here"' >> ~/.bashrc
source ~/.bashrc

Windows (PowerShell)

# Set as user environment variable (persists across sessions)
[System.Environment]::SetEnvironmentVariable("CODELOOP_API_KEY", "cl_live_your_key_here", "User")

# Or set for current session only
$env:CODELOOP_API_KEY = "cl_live_your_key_here"

Adding to MCP Config

When you run npx codeloop init, the API key is automatically added to your MCP config. If you need to add it manually:

Cursor (.cursor/mcp.json)

{
  "mcpServers": {
    "codeloop": {
      "command": "npx",
      "args": ["-y", "codeloop-mcp-server"],
      "env": {
        "CODELOOP_API_KEY": "cl_live_your_key_here"
      }
    }
  }
}

Claude Code (.claude/settings.local.json)

{
  "mcpServers": {
    "codeloop": {
      "command": "npx",
      "args": ["-y", "codeloop-mcp-server"],
      "env": {
        "CODELOOP_API_KEY": "cl_live_your_key_here"
      }
    }
  }
}

Rotating a Key

If your key is compromised or you want to rotate it as a security practice:

1. Go to Dashboard → API Keys
2. Click the rotate icon next to the key you want to rotate
3. A new key is generated and the old one is immediately revoked
4. Update your CODELOOP_API_KEY environment variable with the new key

Renaming a Key

Each row in the dashboard has a pencil (Rename) icon. Renaming changes only the label — the secret value, prefix, plan, and usage history all stay the same, so any device using that key keeps working without an env-var swap.

Use rename to tidy up legacy CLI auth key rows minted by older versions of npx codeloop auth (pre 0.1.38). New CLI auth flows now mint descriptive names like CLI auth — Jis-MacBook-Pro (2026-05-22) automatically, so any duplicate “CLI auth key” rows you see are from earlier auth flows on the same or other machines. You can either rename them in place (recommended, keeps the key live), or revoke + delete if you don't recognise the prefix.

Revoking a Key

To revoke a key without creating a replacement, click the X icon on an active row. The key stops working immediately. After revocation, the row gains a red trash icon — Delete permanently— that removes it from the dashboard entirely (the audit-log breadcrumb is preserved).

Security Best Practices

• Never commit keys to version control. Add .env to your .gitignore.
• Use environment variables instead of hardcoding keys in config files.
• Use separate keys for different machines or environments.
• Rotate keys regularly — the dashboard makes this a one-click operation.
• Revoke unused keys — if a machine is decommissioned, revoke its key.

Key Format

CodeLoop API keys use the format cl_live_ followed by a random string. Example: cl_live_abc123def456...

The cl_live_ prefix makes it easy to identify CodeLoop keys in your environment and helps secret scanners detect accidentally committed keys.

Next Steps

• Cursor Setup — complete Cursor configuration
• Claude Code Setup — complete Claude Code configuration
• Dashboard — manage your keys