Authentication
All requests to the Upwork Job Search MCP server require authentication via API keys passed as Bearer tokens.
API Keys
API keys are the primary authentication mechanism. Each key is tied to your account and grants access to all Upwork Job Search MCP tools based on your subscription plan.
Key format
All API keys start with the gm_ prefix, followed by a base64url-encoded random string. Example:
Using Your Key
Pass your API key in the Authorization header as a Bearer token. MCP clients handle this automatically when configured properly.
curl -X POST https://mcp.getmany.com.ua/mcp \
-H "Content-Type: application/json" \
-H "Authorization: Bearer gm_your_api_key_here" \
-d '{
"jsonrpc": "2.0",
"method": "tools/list",
"id": 1
}'Security
Hashed storage
API keys are hashed with SHA-256 before storage. We never store your key in plain text.
Account scoping
Each key is scoped to your account and subscription plan. Keys cannot be shared across accounts.
Revocable
You can revoke any key instantly from your dashboard. Revoked keys are rejected immediately.
Rotatable
Generate new keys at any time. We recommend rotating keys periodically as a security best practice.
Error Responses
If your key is missing, invalid, or revoked, the server returns a 401 status:
{
"error": {
"code": 401,
"message": "Invalid or missing API key"
}
}Best Practices
- Never commit API keys to version control. Use environment variables or secrets managers.
- Use separate keys for development and production environments.
- Rotate keys periodically and revoke unused keys.
- Monitor your usage in the dashboard to detect unauthorized access.
- Each team member should have their own API key for accountability.
See API keys in action
These tutorials assume your API key is wired into an MCP client and ready to go.