Raster
API ReferenceMCP Server

Authentication

Connect with OAuth as yourself, or use an org-scoped API key.

The MCP server accepts two credentials: OAuth — the recommended way to connect an agent as yourself — and the same API keys as the REST and GraphQL APIs for server-to-server integrations. Every MCP request carries its credential as a bearer token.

Add https://mcp.raster.app/ as a remote MCP server in your client (Claude, Cursor, or any client that speaks MCP authorization). The client discovers the authorization server automatically, registers itself, and opens a Raster consent page where you sign in and pick one organization the connection may access. The connection gets your library access within that organization and follows it live — change a role or remove a library and the connection follows.

For terminals and other devices without a browser, the device flow shows a short code to enter at https://raster.app/device.

Manage every connection under Settings → Connected apps, where one click revokes it.

API keys

You manage keys in each organization's settings, where you can:

  1. Create a key when you need one.
  2. Scope it by enabling access only to specific libraries.
  3. Regenerate it if it is ever exposed.
  4. Delete it when it is no longer needed.

Creating a key

Open organization settings

Go to Organization name → Settings in the Raster app.

Generate a new key

In the API keys section, generate a new key. Copy it immediately — for security, the full key is shown only once.

Grant library access

Enable Read access for every library the key should reach. Add Write access if the connection will upload, delete, tag, or move assets. Save your changes.

Treat API keys like passwords. Never commit them to source control or expose them in client-side code. If a key leaks, regenerate it immediately — the old value stops working at once.

Access levels

Each key carries a per-library access level. Tools check this level before running:

LevelGrants
ReadRead tools — list_libraries, list_assets, search_assets, list_tags — and every resource.
WriteWrite tools — upload_asset, upload_assets, delete_assets, tag_assets, untag_assets, update_asset_description, transfer_assets. Includes read.

A tool that targets a library the key cannot reach fails with API_KEY_NOT_AUTHORIZED_FOR_LIBRARY (404) — the same response as an unknown library, so the key learns nothing about libraries it has no access to. See Errors.

Authenticating the connection

Send your key as a bearer token in the Authorization header on every request to https://mcp.raster.app/:

Authorization: Bearer <API_KEY>

In most MCP clients — Claude, ChatGPT, Cursor, VS Code, and others — you paste the key once when adding the remote server; the client attaches the header to every request for you. See Connect Raster for the per-client steps.

Requirements

  • HTTPS only. Requests over plain HTTP are rejected.
  • Authentication required. A missing or malformed Authorization header is rejected with 401 before any tool runs.
  • Scope matters. The key must have the right access level for every library a tool touches.

MCP Server

Connect Claude, ChatGPT, Cursor, and any other MCP client to your Raster libraries over the Model Context Protocol.

Tools

Every Raster MCP tool, its arguments, and a runnable example.

On this page

OAuth (recommended)API keysCreating a keyOpen organization settingsGenerate a new keyGrant library accessAccess levelsAuthenticating the connectionRequirements