Skip to content
Popcorn Docs

Connect via security token

If your AI agent doesn’t support one-click OAuth, use a security token (an API key starting with pk_live_…) as a Bearer header.

Generate a security token

Section titled “Generate a security token”
  1. Sign in to popcorn.co and click your avatar to open your Profile.
  2. On the profile page, click the (three-dot) button near the top right.
  3. Choose API Keys from the menu.
  4. Click Generate key, give it a friendly name (e.g. “My Mac” or “Cursor”), then click Generate key again.
  5. Copy the key immediately — it starts with pk_live_ and we won’t show it again. Store it somewhere safe (a password manager works great). You can always revoke and create a new one later.

The full key is your Bearer token. Paste the entire string (including pk_live_…) — do not double the prefix.

Use the token

Section titled “Use the token”

Configure your MCP client to point at:

https://api.popcorn.co/mcp

…and add this header:

Authorization: Bearer YOUR_POPCORN_API_KEY

Different clients store this differently — see the per-client guides:

Universal config (most clients)

Section titled “Universal config (most clients)”

Most MCP clients understand this shape:

{
  "mcpServers": {
    "popcorn": {
      "url": "https://api.popcorn.co/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_POPCORN_API_KEY"
      }
    }
  }
}

If your client uses a different config shape, the per-client guides show its exact format.

Managing keys

Section titled “Managing keys”

In Profile → ⋯ → API Keys you can:

  • See all your active keys, with their friendly names and last-used dates.
  • Revoke a key at any time (any client using it loses access immediately).
  • Generate as many additional keys as you need — one per device or one per teammate is a good practice.

Safety tips

Section titled “Safety tips”
  • Treat the key like a password. Don’t commit it to a public repo.
  • One key per place. If you want to share Popcorn access with a teammate, generate them their own key — that way you can revoke just theirs if anything goes wrong.
  • Lost the key? We can’t show it again — that’s by design. Just go to Profile → ⋯ → API Keys, revoke the missing one, and generate a new key.

Is the key safe to put in a config file?

Section titled “Is the key safe to put in a config file?”

Yes. The key is sent on the network as a request header — your AI agent reads it from your config file but never shows it to the model, so it can’t be leaked back into chat. It’s the same trust model as a server-side API key.