Skip to main content

How to Connect headless AI Agents to AutoRFP using API keys

Run AutoRFP's MCP server from server-side agents, scheduled jobs, and internal AI assistants — no browser, no login screen, no per-user OAuth.

Written by Nitzan Gorodetsky

Article Summary

Normally, connecting an AI assistant like Claude or ChatGPT to AutoRFP means signing in through your browser and clicking "Approve". That works great when a person is using the assistant. But some tools don't have a person behind them — for example, an AI agent your company runs on its own servers, or an automated workflow that checks your RFPs every morning. These tools can't open a browser and log in.

For those, AutoRFP offers API keys: a special password you create once, that lets a tool stay connected permanently. You stay in control the whole time, meaning you choose exactly what the key can see, and you can switch it off at any moment.


Prerequisites

  • An AutoRFP admin account

  • An MCP client that supports the Streamable HTTP transport with custom headers — this includes the official MCP SDKs (TypeScript, Python), Claude Code, the Claude API's MCP connector, and most agent frameworks


💡 Is an API key right for you?

  • A person using Claude, ChatGPT, or similar? → No. Use the normal browser login. Each team member should connect their own account.

  • An automated tool, shared bot, or company-run AI agent? → Yes, an API key is the right fit.


Step-by-Step Instructions

Step 1 — Create a "service account" user (recommended)

An API key always works as one of the users in your workspace. Whatever that user can see, the key can see. Whatever they can't, it can't.

We recommend not tying the key to a real person. If that person ever leaves and their account is deactivated, the key stops working and your integration breaks. Instead, invite a dedicated user just for this — something like [email protected] — and give it access to the projects your tool should see.

This is called a service account.


Step 2 — Create the API key

  1. Go to Organization → Developer → API Keys and click Create API Key.

  2. Give it a name you'll recognize later, like "Sales team AI agent".

  3. Choose the service account user from Step 1.

  4. Tick what the key is allowed to see. Each option has a badge showing where it applies — for connecting AI agents, you want the ones badged MCP:

    • Projects — your RFP projects, questions, and answers

    • Content library — your approved answer library

    • Tags — your tag categories

    Only tick what your tool actually needs.

  5. Click create, and copy the key straight away. For security, it's shown only this once — like a password reset, you can't look it up again later. If you lose it, just create a new one.


Step 3 — Hand it over

The confirmation screen shows a ready-made connection snippet for the MCP server. It contains the two things your tool needs:

  1. The server address (a web link ending in /mcp)

  2. The key itself, which goes into a setting usually called an authorization header or bearer token

Copy the MCP snippet and pass it — securely — to whoever sets up your tool. Most AI agent tools have a "connect an MCP server" or "add integration" screen with exactly these two fields. Send the key via a password manager or your IT team's approved method, not in a plain email or chat message.

That's it! Once the tool has the address and the key, it's connected — permanently, until you switch it off.


What the connection can (and can't) do

The connection is read-only. Your tool can look things up — list projects, read questions and answers, search your content library — but it can never create, change, or delete anything in AutoRFP.

It only sees what you allowed it to see: the boxes you ticked in Step 2, filtered through what the service account user has access to. If your agent can't find a certain project, check that the service account is a member of it.


💡 Tips & Best Practices

  • Name keys so future-you understands them. "Sales team AI agent — created July 2026" beats "Key 1". Six months from now, you'll want to know at a glance what each key is for and whether it's still needed.

  • Only tick the boxes your tool actually needs. If your agent only searches the content library, don't give it access to projects too. You can always create a new key with more access later — starting small is the safer default.

  • Give each tool its own key. Connecting two tools? Create two keys. If one tool is retired or misbehaves, you can switch off its key without disturbing the other.

  • When in doubt, revoke and recreate. Keys are free and instant to make. If you're ever unsure whether a key was exposed or who has it, just revoke it and issue a fresh one — the only cost is pasting the new key into your tool.


✋🏼 Common Mistakes to Avoid

  • Using an API key for personal AI assistants. If a team member wants to use AutoRFP from Claude or ChatGPT, they should connect their own account with the normal login — that keeps their activity under their own name.

  • Tying the key to a real employee. When they leave and their account is deactivated, the key dies with it. Use a service account.

  • Not ticking enough boxes. If your tool says it can't access projects or content, the key probably wasn't given that scope. Scopes can't be changed after creation — just create a new key with the right ones ticked and revoke the old one.

  • Losing the key. It's only shown once. No harm done — revoke it and create a fresh one.


Need Help?

💬 Live Chat: Available in-app

📚 Learning Centre: learn.autorfp.ai/en

Did this answer your question?