Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.navisops.com/llms.txt

Use this file to discover all available pages before exploring further.

API keys are the fastest way to authenticate with Navis Ops. You create one in Settings, copy it once, and use it as a bearer token in every request. API keys work with any HTTP client, any AI assistant, and any language — no OAuth flow required. The token starts with nops_ so you can identify it easily in configuration files and logs.

Creating an API key

1

Open Connected Apps

In the Navis Ops sidebar, click Settings, then navigate to Connected Apps.
2

Create a new key

Click Create API key. Give the key a descriptive name — for example, “Claude Desktop” or “CI pipeline” — so you know what it is for when you need to revoke it later.
3

Pick a scope

Choose the level of access the key needs:
ScopeLabel in UIWhat it grants
mcp:readReadRead access to all workspace data
mcp:writeRead + WriteRead access plus the ability to create, update, and delete data
mcp:write implies mcp:read. There is no per-tool access control — a write-scoped key grants every write operation. If you want a key that can only read data, choose Read.
4

Set an expiration (optional)

You can set an expiration date at creation time. API keys do not expire by default — they stay active until you revoke them. Set an expiration if you want the key to stop working automatically after a certain date.
5

Copy the token immediately

Click Create. Navis Ops shows the full token exactly once. Copy it now — it starts with nops_ and will not be shown again.
If you lose an API key, you cannot retrieve it. Revoke the existing key and create a new one.

Using an API key in requests

Pass the token in the Authorization header as a bearer credential on every request: 
Authorization: Bearer nops_your_token_here

Example: calling the MCP server

curl https://<your-supabase-project>.supabase.co/functions/v1/mcp-server-v2 \
  -H "Authorization: Bearer nops_your_token_here" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/list",
    "params": {}
  }'

Example: AI client configuration

Most AI clients accept a static header for MCP server authentication. The exact configuration format varies by client — check your client’s documentation for its MCP config file syntax. The key fields are always:
  • Server URL: https://<your-supabase-project>.supabase.co/functions/v1/mcp-server-v2
  • Authorization header: Bearer nops_your_token_here
{
  "mcpServers": {
    "navis-ops": {
      "url": "https://<your-supabase-project>.supabase.co/functions/v1/mcp-server-v2",
      "headers": {
        "Authorization": "Bearer nops_your_token_here"
      }
    }
  }
}

Managing API keys

Viewing active keys

All your active API keys appear in Settings → Connected Apps. Each row shows the key name, scope, creation date, expiration date (if set), and the last time the key was used.

Revoking a key

To revoke a key, click Revoke next to it in Settings → Connected Apps. Revocation is immediate — the next request using that key returns a 401 Unauthorized response.
Use separate API keys for each client or integration. That way, if you need to revoke one, you do not affect the others.

Best practices

  • One key per client. Create a separate key for each AI assistant, script, or integration. This makes it easy to revoke access for one client without disrupting others.
  • Use read-only scope when possible. If your integration only needs to read data, create a mcp:read key. Reserve mcp:write keys for integrations that need to create or modify workspace data.
  • Set an expiration for temporary use. If you’re creating a key for a short-lived script or test, set an expiration date so the key automatically becomes inactive when you no longer need it.
  • Store keys as environment variables. Never hard-code an API key in source code. Use environment variables or a secrets manager.
  • Revoke keys you no longer use. Inactive keys still grant access. Revoke them when the integration is retired.