Raster
API ReferenceMCP Server

Authentication

Create an API key, scope it to libraries, and authenticate the MCP connection.

The MCP server authenticates with the same API keys as the REST and GraphQL APIs. Keys are created per organization and can be scoped to grant access only to the libraries you choose. Every MCP request carries the key as a bearer token.

API keys

You manage keys in each organization's settings, where you can:

  1. Create a key when you need one.
  2. Scope it by enabling access only to specific libraries.
  3. Regenerate it if it is ever exposed.
  4. Delete it when it is no longer needed.

Creating a key

Open organization settings

Go to Organization name → Settings in the Raster app.

Generate a new key

In the API keys section, generate a new key. Copy it immediately — for security, the full key is shown only once.

Grant library access

Enable Read access for every library the key should reach. Add Write access if the connection will upload, delete, tag, or move assets. Save your changes.

Treat API keys like passwords. Never commit them to source control or expose them in client-side code. If a key leaks, regenerate it immediately — the old value stops working at once.

Access levels

Each key carries a per-library access level. Tools check this level before running:

LevelGrants
ReadRead tools — list_libraries, list_assets, search_assets, list_tags — and every resource.
WriteWrite tools — upload_asset, upload_assets, delete_assets, tag_assets, untag_assets, update_asset_description, transfer_assets. Includes read.

A tool that targets a library the key cannot reach fails with API_KEY_NOT_AUTHORIZED_FOR_LIBRARY (404) — the same response as an unknown library, so the key learns nothing about libraries it has no access to. See Errors.

Authenticating the connection

Send your key as a bearer token in the Authorization header on every request to https://mcp.raster.app/:

Authorization: Bearer <API_KEY>

In most MCP clients — Claude, ChatGPT, Cursor, VS Code, and others — you paste the key once when adding the remote server; the client attaches the header to every request for you. See Connect Raster for the per-client steps.

Requirements

  • HTTPS only. Requests over plain HTTP are rejected.
  • Authentication required. A missing or malformed Authorization header is rejected with 401 before any tool runs.
  • Scope matters. The key must have the right access level for every library a tool touches.

Getting Started

Connect Claude, ChatGPT, Cursor, and any other MCP client to your Raster libraries over the Model Context Protocol.

Tools

Every Raster MCP tool, its arguments, and a runnable example.

On this page

API keysCreating a keyOpen organization settingsGenerate a new keyGrant library accessAccess levelsAuthenticating the connectionRequirements