How Authentication Works
Your API key is sent as thex-leadmagic-key header on every MCP request. The server validates the key against the LeadMagic API and checks that your account has available credits.
Per-Request
Your key is passed on every request and never stored on the server.
One Key
Same key as the REST API and CLI — manage it in one place.
Credit-Based
Each tool call deducts credits from your account balance.
Get Your API Key
Sign up or log in
Go to app.leadmagic.io and create an account or sign in.
Navigate to API settings
Open Settings > API.
Security Best Practices
Never commit keys to version control
Never commit keys to version control
If you use a project-level MCP config file (For team-shared configs, use environment variable interpolation where your client supports it.
.cursor/mcp.json, .vscode/mcp.json, .mcp.json), add it to .gitignore:Use environment variables when possible
Use environment variables when possible
Some MCP clients support env var interpolation in config files:
- Windsurf:
"${env:LEADMAGIC_API_KEY}" - VS Code: Use
inputvariables withpassword: true(see setup guide) - Claude Code: Store the key in
~/.claude.json(local scope, not committed)
Rotate keys if compromised
Rotate keys if compromised
If your key is exposed, generate a new one immediately at Settings > API and update your MCP client config.
Monitor usage
Monitor usage
Check your credit consumption regularly. Use the
check_credits tool (free) or visit your dashboard.Authentication Errors
| Error | Cause | Solution |
|---|---|---|
401 Unauthorized | Missing or invalid API key | Check that x-leadmagic-key is set correctly in your config |
403 Forbidden | No credits remaining | Purchase credits or check your balance |
Invalid API key | Malformed key | Ensure the key starts with lm_ and is copied completely |