Authentication

API keys, OAuth flow, rate limits, and security best practices for accessing Investra tools.

API Keys

API keys are the primary way to authenticate with the Investra MCP server. Each key is tied to your account and determines which tools you can access based on your plan.

Key format: All keys begin with the prefix inv_ followed by a random alphanumeric string (e.g. inv_abc123def456...).

You can have one active API key at a time. Generating a new key will not revoke your existing key — you must revoke it manually if you want to rotate.

How to Generate an API Key

Follow these steps to create your API key:

  1. Log in to investraapp.com with your email or Google account.
  2. Open your profile — click your avatar or name in the top-right corner, then select Profile.
  3. Go to the Developer tab — on the Profile page, click the Developer tab. This is where your API keys and usage are managed.
  4. Click "Generate API Key" — the button is in the API Keys section. A new key will be generated immediately.
  5. Copy the key now — the full key is shown only once. Click the copy icon to copy it to your clipboard. Store it somewhere safe (password manager, secure note, etc.).

You will not be able to see the full key again. If you lose it, you will need to revoke it and generate a new one. We only store a hashed version for security.

After generating, you will see a masked version of the key (e.g. inv_****...7f3a) in your Developer dashboard along with its creation date and status.

Using API Keys with MCP

When connecting through an MCP client (Claude Code, Claude Desktop, claude.ai), the client handles authentication for you after you enter your API key during setup. Under the hood, the key is sent as a Bearer token in the Authorization header: 

Authorization: Bearer inv_your_api_key_here

If you are building a custom MCP client or making direct HTTP requests, include this header with every request to https://www.investraapp.com/api/mcp.

OAuth 2.0 Flow

For HTTP transport MCP connections, Investra supports the standard OAuth 2.0 authorization code flow. This is handled automatically by compliant MCP clients, but here is the flow for reference:

  1. The MCP client redirects the user to the Investra authorize endpoint.
  2. The user logs in and grants access.
  3. Investra redirects back to the client with an authorization code.
  4. The client exchanges the code for an access token at the token endpoint.
  5. The access token is used in subsequent MCP requests as a Bearer token.

Most users will not need to interact with the OAuth flow directly. MCP clients like Claude Code and Claude Desktop handle the entire flow behind the scenes when you authenticate via /mcp or the settings UI.

Rate Limits

API requests are rate-limited based on your plan tier. Rate limits apply per API key and are measured in requests per minute and per day.

PlanRequests / MinuteDaily LimitOff-Market LookupsSkip Traces
Free10100Not includedNot included
Pro301,00050 / monthNot included
Pro Plus605,000500 / month100 / month

What happens when you hit a rate limit:

  • The server responds with HTTP 429 Too Many Requests.
  • The response includes a Retry-After header indicating how many seconds to wait.
  • Claude will typically display a message like "rate limit exceeded" and may retry automatically after a short delay.
  • Your data and account are not affected — you simply need to wait before making more requests.

What happens when you hit a daily limit:

  • All tool calls will return a 429 error until midnight UTC.
  • Upgrade your plan to get a higher daily limit immediately — the new limits take effect right away.

For full plan details and pricing, visit investraapp.com/pricing.

Checking Your Usage

You can check your current API usage and remaining quota at any time:

  1. Log in to investraapp.com.
  2. Go to Profile > Developer.
  3. Your usage dashboard shows:
    • Requests today — how many API calls you have made today vs. your daily limit.
    • Off-market lookups — credits used this month (paid plans only).
    • Skip traces — lead credits used this month (Pro Plus only).

Usage resets daily at midnight UTC for request limits, and on your billing date for monthly credit allowances (off-market lookups and skip traces).

Security Best Practices

  • Never share your API key publicly. Do not post it in GitHub issues, Discord, or forums.
  • Do not commit keys to source control. Use environment variables or a secrets manager instead of hardcoding keys in your code.
  • Rotate keys regularly. If you suspect a key has been compromised, revoke it immediately and generate a new one.
  • Use environment variables. Store your key in an environment variable like INVESTRA_API_KEY and reference it in your configuration.
  • Limit key exposure. Only share your API key with trusted applications and services.
# Example: Store key in environment variable
export INVESTRA_API_KEY="inv_your_api_key_here"

Revoking Keys

If you need to revoke an API key (for example, if it has been leaked or you want to rotate it):

  1. Log in to investraapp.com.
  2. Navigate to Profile > Developer.
  3. Click Revoke next to the key you want to disable.
  4. Confirm the revocation.

Once revoked, any MCP connection using that key will immediately stop working. You will need to generate a new key and re-authenticate your MCP clients.

Revoking a key is immediate and irreversible. Make sure you have a new key ready before revoking your current one if you want to avoid downtime.

← PreviousAPI ReferenceNext →Troubleshooting