Skip to main content

Control Tool Access Per Key

A caller API key's allowed_tools decides which MCP tools that key can discover and call. The same field governs both directions: tools/list returns only the tools the key allows, and tools/call rejects any tool the key does not allow before AISIX contacts the upstream server.

Tools are named in the aggregated <server>__<tool> form, where <server> is the registered MCP server's display_name. A key with no allowed_tools — omitted, null, or an empty list — can call no MCP tools. Access is granted explicitly.

Matching Rules

Each allowed_tools entry is matched as a single-* glob against the prefixed tool name:

EntryGrantsExample
Exact nameOne specific tool.github__create_issue allows only that tool.
<server>__*Every tool on one registered server.github__* allows github__create_issue, github__list_repos, and any other github tool.
*Every tool on every registered server.* allows all current and future tools.

Choose the narrowest access that fits the caller. A <server>__* grant is scoped to exactly that server: github__* does not match slack__post, and it does not match a different server whose name merely shares the prefix, such as githubenterprise__create_issue.

curl -sS -X POST "http://127.0.0.1:3001/admin/v1/apikeys" \
-H "Authorization: Bearer ${AISIX_ADMIN_KEY}" \
-H "Content-Type: application/json" \
-d '{
"key_hash": "'"${AISIX_API_KEY_HASH}"'",
"allowed_models": [],
"allowed_tools": ["github__*", "runbooks__search"]
}'

This key can call every tool on the github server plus the single runbooks__search tool, and nothing else.

Advanced matching

Because entries are single-* globs, * can appear anywhere, not only as a trailing <server>__*. For example, *__search grants a tool named search on every registered server. Prefer per-server (<server>__*) or exact grants unless you specifically want a cross-server pattern.

Update a Key's Tool Access

Updates replace the resource, so include the existing key hash and any other fields you want to keep, along with the new allowed_tools:

curl -sS -X PUT "http://127.0.0.1:3001/admin/v1/apikeys/YOUR_API_KEY_ID" \
-H "Authorization: Bearer ${AISIX_ADMIN_KEY}" \
-H "Content-Type: application/json" \
-d '{
"key_hash": "'"${AISIX_API_KEY_HASH}"'",
"allowed_models": [],
"allowed_tools": ["github__create_issue"]
}'

To revoke all MCP tool access for a key, set allowed_tools to []. The key keeps its model access and other settings but can no longer list or call any MCP tool.

How Enforcement Works

When an MCP client lists tools, AISIX aggregates the tools from every enabled server, then filters the list to the ones the caller's key allows. The client sees only permitted tools.

When the client calls a tool, AISIX re-checks the key against allowed_tools. A tool the key does not allow is rejected with a neutral MCP error and is never routed upstream — the rejection does not reveal whether the tool or server exists. A caller can therefore neither discover nor invoke tools outside its grant.

Manage Tool Access on AISIX Cloud

On AISIX Cloud, you set tool access from the caller API key form in the dashboard instead of the Admin API:

  • All MCP tools grants *.
  • A checkbox for each MCP server exposed to the key's environment grants that server's <server>__*.
  • An advanced field accepts exact tool names for fine-grained grants.

The stored grant maps back to these controls when you edit the key, so a hand-written exact grant is preserved. See AISIX Cloud.

Next Steps

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation