Only Admin and Owner roles can create or revoke API keys. Other members can’t see this page.
Creating an API key
Name the key
Give the key a descriptive name (e.g.
Cursor MCP, CI Findings Sync, Dashboard Export). The name is visible only to your team.Permissions
| Permission | Scope |
|---|---|
| Read only | Read access to findings, assets, pentests, reports, and integrations |
| Read & Write | Same as read, plus mutation access (status changes, asset edits, etc.) |
Revoking a key
To revoke a key, click the revoke action next to it in the table and confirm. Any integration using that key will stop working immediately. Revocation cannot be undone.Connecting an AI agent (MCP)
The Odin MCP server lets AI agents query your organisation’s data through the Model Context Protocol. Once connected, you can ask agents like Cursor, Claude, or Codex questions like “What are my critical findings?” or “List recently discovered assets” and get live answers. Expand the Setup guide: connect an AI agent card on the API Keys page to see ready-to-paste configuration snippets for:- Cursor — add to
.cursor/mcp.jsonor via Settings > MCP - Claude Desktop — add to
claude_desktop_config.json - Claude Code — register from the terminal with
claude mcp add - Codex — add to
~/.codex/config.toml
npx @borgresearch/odin-mcp with your API key supplied as the ODIN_API_KEY environment variable.
For Windsurf, VS Code, Cline, and other MCP clients, see the Odin MCP package on npm for client-specific configuration.
Security notes
- Treat API keys like passwords. Never commit them to source control or share them in chat.
- Use one named key per integration or agent so you can revoke a single key if a machine or session is compromised.
- Keys are scoped to a single organisation. They can’t access data from other organisations a key holder belongs to.