API Keys

API keys authenticate your integrations with Brandmanna. You need them to connect the MCP server, verify webhook payloads, or build any custom programmatic integration.

What API Keys Are Used For

• MCP server authentication — The Manna MCP Server uses your API key to access your brands, drafts, and content on your behalf. You pass the key as the MANNA_API_KEY environment variable in your MCP client configuration.
• Webhook signature verification — When you configure a webhook on a brand, Brandmanna generates a secret token for payload signing. Your API key authenticates the initial webhook configuration.
• Programmatic access — Any custom scripts or tools that need to interact with Brandmanna's API can authenticate using an API key in the request headers.

Key Format

All API keys use the manna_ prefix followed by 40 hexadecimal characters:

manna_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0

This prefix makes it easy to identify Brandmanna keys in your environment variables, configuration files, and secret managers. If you see a key starting with manna_, you know it belongs to Brandmanna.

Creating an API Key

1. Go to Account Settings from the navigation menu.
2. Scroll to the API Keys section.
3. Click Create New Key.
4. Enter a descriptive name for the key (e.g., "Claude Desktop", "Zapier Integration", "Dev Script").
5. Click Create.
6. Copy the key immediately. It is displayed only once and cannot be retrieved later.

After creation, the key list shows only the key name, a masked preview, and the creation date. You cannot view the full key again.

Security

Brandmanna takes API key security seriously:

• One-time display — Keys are shown in full only at the moment of creation. After you close the dialog, the full key is never displayed again.
• SHA-256 hashing — Brandmanna stores only a SHA-256 hash of your key. Even if the database were compromised, your raw key could not be recovered.
• No retrieval — There is no "show key" or "recover key" option. If you lose a key, revoke it and create a new one.

Recommended practices

• Treat your API key like a password. Never commit it to version control or share it in plain text.
• Use environment variables to pass keys to your integrations rather than hardcoding them in configuration files.
• Store keys in a secret manager (e.g., 1Password, AWS Secrets Manager, or your OS keychain) when possible.
• Never include keys in client-side code, public repositories, or chat messages.

Limits

You can have a maximum of 5 active API keys at any time. This limit applies to your entire account, regardless of how many brands you have.

If you need to create a new key and have reached the limit, revoke an unused key first to free up a slot.

Revoking a Key

1. Go to Account Settings > API Keys.
2. Find the key you want to revoke in the list.
3. Click the Revoke button next to it.
4. Confirm the revocation in the dialog.

Once revoked, any integration using that key will immediately lose access. The revocation takes effect instantly — there is no grace period.

You cannot undo a revocation. If you revoke a key by mistake, you will need to create a new key and update your integrations with the new value.

Key Rotation

To rotate a key without downtime:

1. Create a new API key with a descriptive name (e.g., "Claude Desktop v2").
2. Update the key in your integration (MCP client config, webhook settings, or scripts).
3. Verify that the integration works with the new key.
4. Revoke the old key.

This approach ensures your integration is never disconnected during the rotation.

Troubleshooting

"Maximum keys reached" error

You have 5 active keys. Revoke a key you are no longer using, then try creating a new one.

"Invalid API key" error

Double-check that you copied the full key (including the manna_ prefix) and that it has not been revoked. If you are unsure, create a new key.

Integration stopped working

Check whether the key was revoked in Account Settings > API Keys. If the key is no longer listed as active, create a new one and update your integration.