Setup.
Authentication is a static Authorization: Bearer header — no OAuth, no Connected App, no PKCE flow. From a clean client to a working tools/list response is about thirty seconds.
Issue an API key.
Sign in at /api-keys, click New API key, set a label, and submit. The raw key is shown once— copy it immediately. Self-serve keys cap at 5 active keys per user, 60 requests per minute, and the read-only intelligence toolsets (core, findings, field-quality, dependencies).
For change-safety tools or higher rate limits, your admin can issue broader keys at /admin/api-keys. Keys are one-way hashed at rest; lost keys cannot be recovered, only rotated.
Pick the snippet for your editor.
Every supported client points at the same endpoint: https://mcp.scrubber.io/api/mcp. The only required header is Authorization: Bearer sk-....
Cursor
Open Settings → MCP Servers, add a new server, and paste the snippet below into the JSON editor (or edit ~/.cursor/mcp.json directly). Reload servers from the command palette to see the tool list populate.
{
"mcpServers": {
"scrubber": {
"url": "https://mcp.scrubber.io/api/mcp",
"headers": {
"Authorization": "Bearer sk-..."
}
}
}
}Claude Code (CLI)
Use the CLI form rather than the GUI configurator. The Claude.ai and Claude Desktop GUI configurators only support OAuth flows today, so use the CLI for static Bearer tokens. Verify with claude mcp list — the entry should report connected.
claude mcp add --transport http scrubber https://mcp.scrubber.io/api/mcp \
--header "Authorization: Bearer sk-..."Salesforce Vibes
Open Vibes → Settings → Remote MCP Servers → Add server, paste the URL and header, then click Test connection.
URL: https://mcp.scrubber.io/api/mcp
Header: Authorization: Bearer sk-...Local stdio
For CI smoke tests, MCP Inspector wiring, and local development, the stdio binary speaks the same JSON-RPC dialect over standard streams. Pick the toolsets you want with --toolsets; core is always on.
SCRUBBER_API_KEY="sk-..." \
npx scrubber-mcp --toolsets coreHeaders reference.
| Header | Required | Behaviour |
|---|---|---|
Authorization: Bearer sk-... | Yes | The static API key. Bearer scheme is case-insensitive. |
X-Scrubber-Toolsets: core,findings,... | No | Comma-separated toolset list. Defaults to your key's allowed toolsets. Requests can narrow the allowlist but never widen it. |
X-Scrubber-Tools: tool_a,tool_b | No | Narrow further to specific tool ids. Useful when you want one toolset's full surface except for two specific tools. |
Content-Type: application/json | Yes | Required for POST. The transport is JSON-RPC. |
Accept: application/json, text/event-stream | No | Recommended. The handler may return a single JSON response or an SSE stream depending on the method. |
One curl, one tool list.
Drop your key into the snippet below and run it. A successful response is a JSON-RPC reply listing the tools your key resolves to. If the toolsets header is omitted, you get whatever toolsets your key was issued with.
curl -X POST https://mcp.scrubber.io/api/mcp \
-H "Authorization: Bearer sk-..." \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'Expected: a 200 response with { result: { tools: [...] } }. A 4xx reply means the key is wrong or the requested toolset isn’t on your key — see Common errors below.
What you might see, and how to fix it.
| Status | Code | Cause | Fix |
|---|---|---|---|
| 401 | invalid_key | Bad, malformed, or revoked key. | Reissue the key from /api-keys. |
| 401 | missing_bearer | No Authorization header. | Send Authorization: Bearer sk-... |
| 403 | toolset_not_allowed | Your key wasn't issued with the requested toolset. | Ask an admin to widen the key's toolsets, or pick one your key already has. |
| 404 | unknown_signal | A signal id passed to a tool is unknown. | Call list_signals first to discover the canonical ids. |
| 429 | rate_limited | Per-key rate limit exceeded. | Honour the Retry-After header (seconds), or ask for a higher per-key limit. |