OutOfMemory Docs

API Keys

Create, scope, and manage API keys for Shot MCP access.

API keys authenticate your AI tools (Claude, ChatGPT, Cursor, etc.) against Shot's MCP server. Each key is tied to your organization and can be scoped to specific projects.

Creating a key

  1. Go to API Keys in the sidebar

  2. Click Create API Key

  3. Fill in the details:

    • Name — A descriptive label (e.g., "Claude Desktop — Sales team")
    • Project scope — Optionally restrict access to specific projects (up to 100)
    • Expiration — Optionally set an expiry date

  4. Click Create and copy the key immediately — it won't be shown again

All keys start with the smc_ prefix.

Project scoping

By default, a key can access all projects in your organization. For tighter access control, scope keys to specific projects:

  • Team-scoped keys — Give each revenue team a key that only accesses their projects
  • Tool-scoped keys — Give each AI tool (Claude Desktop vs. Cursor) its own key for auditability
  • Temporary keys — Create short-lived keys for contractors or demos with an expiration date

When a key is scoped to projects, add_memory, search_memories, and other tools will only operate within those projects. Attempting to access an out-of-scope project returns an error.

Expiration

Keys can optionally have an expiration date. Expired keys are rejected immediately. This is useful for:

  • Contractor or vendor access with a natural end date
  • Compliance requirements that mandate key rotation
  • Demo environments

Revocation

To revoke a key:

  1. Go to API Keys
  2. Find the key in the list
  3. Click the actions menu and select Delete

Revocation is immediate. Any MCP connections using that key will fail on the next request.

Best practices

  • One key per user or team — This gives you clear audit trails showing who stored or searched for what.
  • Scope to projects — Avoid organization-wide keys when possible. Scoped keys reduce the blast radius if a key is leaked.
  • Rotate regularly — Set expiration dates and create new keys periodically, especially for shared team keys.
  • Never commit keys — Add .mcp.json and .cursor/mcp.json to .gitignore. Use environment variables or secrets management for CI/CD.
  • Monitor usage — Check the Audit Log in the dashboard to review memory operations by key.

Rate limits

Each API key is subject to rate limiting:

  • 120 requests per minute per key
  • 30 AI operations per minute per key (embeddings, classifications, resolution)

If you hit rate limits, consider distributing load across multiple keys or reducing request frequency.

Memory Types

Reference for the 6 memory categories in Shot.

On this page

Creating a keyProject scopingExpirationRevocationBest practicesRate limits
API Keys