Insforge MCP Server

get-anon-key

Generate a non-expiring JWT token for client-side applications requiring public access. Use with admin API key to enable secure, persistent authentication.

Instructions

Generate an anonymous JWT token that never expires. Requires admin API key. Use this for client-side applications that need public access.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`apiKey`	No	API key for authentication (optional if provided via --api_key)

Implementation Reference

src/shared/tools.ts:321-354 (handler)

Handler function that generates an anonymous JWT token by POSTing to the backend /api/auth/tokens/anon endpoint using the global or provided API key. Handles response with handleApiResponse, formats with formatSuccessMessage, adds background context, and returns error response if failed.

withUsageTracking('get-anon-key', async ({ apiKey }) => {
  try {
    const actualApiKey = getApiKey(apiKey);
    const response = await fetch(`${API_BASE_URL}/api/auth/tokens/anon`, {
      method: 'POST',
      headers: {
        'x-api-key': actualApiKey,
        'Content-Type': 'application/json',
      },
    });

    const result = await handleApiResponse(response);

    return await addBackgroundContext({
      content: [
        {
          type: 'text',
          text: formatSuccessMessage('Anonymous token generated', result),
        },
      ],
    });
  } catch (error) {
    const errMsg = error instanceof Error ? error.message : 'Unknown error occurred';
    return {
      content: [
        {
          type: 'text',
          text: `Error generating anonymous token: ${errMsg}`,
        },
      ],
      isError: true,
    };
  }
})

src/shared/tools.ts:316-319 (schema)

Zod input schema defining optional 'apiKey' parameter for the tool.

apiKey: z
  .string()
  .optional()
  .describe('API key for authentication (optional if provided via --api_key)'),

src/shared/tools.ts:312-355 (registration)

MCP server.tool registration for 'get-anon-key', including description, input schema, and handler wrapped by withUsageTracking for usage monitoring.

server.tool(
  'get-anon-key',
  'Generate an anonymous JWT token that never expires. Requires admin API key. Use this for client-side applications that need public access.',
  {
    apiKey: z
      .string()
      .optional()
      .describe('API key for authentication (optional if provided via --api_key)'),
  },
  withUsageTracking('get-anon-key', async ({ apiKey }) => {
    try {
      const actualApiKey = getApiKey(apiKey);
      const response = await fetch(`${API_BASE_URL}/api/auth/tokens/anon`, {
        method: 'POST',
        headers: {
          'x-api-key': actualApiKey,
          'Content-Type': 'application/json',
        },
      });

      const result = await handleApiResponse(response);

      return await addBackgroundContext({
        content: [
          {
            type: 'text',
            text: formatSuccessMessage('Anonymous token generated', result),
          },
        ],
      });
    } catch (error) {
      const errMsg = error instanceof Error ? error.message : 'Unknown error occurred';
      return {
        content: [
          {
            type: 'text',
            text: `Error generating anonymous token: ${errMsg}`,
          },
        ],
        isError: true,
      };
    }
  })
);

src/shared/tools.ts:193-198 (helper)

Helper function getApiKey that returns the global API_KEY from config/env, ignoring any passed parameter for consistency.

const getApiKey = (_toolApiKey?: string): string => {
  if (!GLOBAL_API_KEY) {
    throw new Error('API key is required. Pass --api_key when starting the MCP server.');
  }
  return GLOBAL_API_KEY;
};

Tool Definition Quality

A4.4/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It effectively describes key traits: the token 'never expires' (a critical behavioral detail), it's for 'public access' (implying low security risk), and it 'Requires admin API key' (specifying authentication needs). However, it doesn't mention rate limits or potential side effects, leaving some gaps.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is two sentences with zero waste: the first states the purpose and key behavior, the second provides usage context and prerequisites. It's front-loaded with essential information and appropriately sized for the tool's complexity.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given no annotations, no output schema, and a simple single-parameter tool, the description is largely complete. It covers purpose, usage, and key behavioral traits. However, it doesn't describe the output format (e.g., token structure), which could be helpful since there's no output schema, leaving a minor gap.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The schema description coverage is 100%, so the schema already documents the single optional parameter. The description adds no additional parameter-specific information beyond what's in the schema, such as format examples or usage context for the apiKey. This meets the baseline for high schema coverage.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the action ('Generate'), the resource ('anonymous JWT token'), and key characteristics ('never expires'). It distinguishes this from other authentication mechanisms by specifying it's for 'client-side applications that need public access,' making it specific and differentiated from sibling tools.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly states when to use this tool ('for client-side applications that need public access') and provides a prerequisite ('Requires admin API key'). It also implies when not to use it (for non-public or server-side scenarios), offering clear guidance without naming specific alternatives.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/InsForge/insforge-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server