Energética

Authentication

The Energetica MCP server uses Bearer token authentication. Every request must include an API key in the Authorization header.

API key format

Keys start with ek_ followed by 32 hexadecimal characters, for a total length of 35 characters:

ek_a1b2c3d4e5f6789012345678901234ab

Keys are generated with cryptographically secure random bytes and stored hashed-at-rest. We only show the full key once at creation time.

Sending requests

For Streamable HTTP transport, include the key in the Authorization header:

POST /api/mcp HTTP/1.1
Host: energetica.ar
Authorization: Bearer ek_a1b2c3d4e5f6789012345678901234ab
Content-Type: application/json

{"jsonrpc":"2.0","method":"tools/list","id":1}

Generating and revoking keys

From your profile page you can:

  • Create a new Explorer-tier API key (max 3 active per account)
  • View masked existing keys (e.g. ek_a1b2...34ab) and their last-use date
  • Revoke a key — takes effect immediately on the next request (key cache TTL is 5 minutes; revocation invalidates the cache)

Higher-tier keys (Analyst, Professional, Enterprise) are issued through the pricing flow after subscribing.

Error codes

Authentication errors return JSON-RPC error responses:

CodeHTTPMeaning
-32001401Missing, invalid or revoked API key
-32029429Rate limit exceeded (daily or burst)
-32000400Invalid session or missing initialize request

Example rejection:

{
  "jsonrpc": "2.0",
  "error": {
    "code": -32001,
    "message": "Missing or invalid API key. Get one at https://energetica.ar/mcp"
  },
  "id": null
}

Security recommendations

  • Never commit API keys to version control. Use environment variables.
  • Rotate keys periodically — create a new one, switch your client, then revoke the old one.
  • Use a separate key per integration so you can revoke one without affecting the rest.
  • If a key leaks, revoke it immediately from your profile page.