Overview

API keys authenticate the Arcanon Claude Code plugin, the bundled MCP server, and direct REST calls against Arcanon Hub. Each key is scoped to one org and has configurable permissions.

Creating a key

Go to Settings > API Keys
Click Create API key
Enter a name (e.g., "CI Pipeline", "Local dev")
Copy the key immediately — it's shown only once

Keys start with arc_ and are 43 characters long. Store them securely.

Using a key

Claude Code plugin

Inside Claude Code:

/arcanon:login arc_your_key_here

The key is persisted to ~/.arcanon/config.json (mode 0600). Subsequent /arcanon:sync and MCP calls use it automatically.

The plugin registers its MCP server automatically — if you've logged in via /arcanon:login, no extra config is needed. For standalone MCP clients (outside Claude Code), pass the key via environment variable:

{
  "mcpServers": {
    "arcanon": {
      "command": "/path/to/plugin/scripts/mcp-wrapper.sh",
      "env": {
        "ARCANON_API_KEY": "arc_your_key_here"
      }
    }
  }
}

Scan upload

Direct scan uploads (e.g., from CI) use the /api/v1/scans/upload endpoint:

curl -H "Authorization: Bearer arc_your_key_here" \
  -H "Content-Type: application/json" \
  --data @scan.json \
  https://api.arcanon.dev/api/v1/scans/upload

In day-to-day use, the plugin handles this for you — /arcanon:sync uploads the local graph built by /arcanon:map.

Arcanon's arc_* keys are scoped to two programmatic surfaces: scan upload and the plugin-bundled MCP server. The team dashboard at app.arcanon.dev uses its own browser login and does not accept arc_* keys.

Keys are stored as SHA-256 hashes — Hub never stores the plaintext
Each key is scoped to one org via RLS — it cannot access other orgs' data
Rate limits apply per key: 200 reads/min, 50 writes/min

API Keys

Overview

Creating a key

Using a key

Claude Code plugin

MCP Server

Scan upload

Rotating a key

Revoking a key

Security

On this page