How to setup custom MCP with an API key from web app

Detailed Analysis

A developer rebuilding an internal research publishing platform encountered a practical authentication gap when attempting to integrate a custom Model Context Protocol (MCP) connector with Claude's web application. The user, who had successfully implemented API key generation within their platform and uses Auth0 for authentication, discovered that Claude's web UI connector interface does not provide a dedicated field for passing API keys securely. Claude's own in-conversation suggestion — embedding the API key directly in the connection URL — was immediately and correctly rejected as a plaintext credential exposure risk, highlighting a meaningful friction point for developers attempting to bridge proprietary internal tools with Claude's expanding integration ecosystem.

The technically correct solution involves building a dedicated remote MCP server that acts as an intermediary layer between Claude and the underlying research platform API. Using the MCP SDK (available for Node.js via `@modelcontextprotocol/sdk`), a developer deploys a publicly accessible HTTPS server — on platforms such as Vercel or Render — that implements the MCP protocol and exposes tool endpoints via Server-Sent Events (SSE). The API key for the internal platform is stored securely as an environment variable on that server, never transmitted in plaintext over a URL. When Claude calls the MCP server's tools, the server handles authenticated requests to the internal API internally, returning structured JSON responses. Critically, Anthropic's Messages API supports an `authorization_token` parameter within the `mcp_servers` configuration object, providing a proper mechanism for passing authentication credentials to the custom MCP server at the API level rather than through the web UI.

This architecture reveals an important distinction between Claude's consumer-facing web UI and its developer-facing Messages API. The web UI's MCP connector interface, while useful for straightforward integrations, does not yet expose the full authentication configuration surface that the underlying API supports — leaving technically intermediate users in an awkward middle ground where the interface obscures capabilities that are genuinely available programmatically. The user's situation, building internal tooling with existing Auth0 infrastructure and generated API keys, is precisely the use case the Messages API's `mcp_servers` configuration is designed to handle, but accessing it requires shifting from the web UI to direct API calls using the Anthropic Python or JavaScript SDKs with the `mcp-client-2025-11-20` beta flag enabled.

This case reflects a broader pattern in the rapid rollout of MCP as a standard across the AI tooling ecosystem. Anthropic formally introduced MCP in late 2024, and adoption has accelerated significantly through 2025 as developers attempt to connect Claude to proprietary data sources, internal APIs, and specialized workflows. The gap between what GUI-based connectors expose and what the underlying protocol supports is a predictable growing pain in this adoption curve — the protocol itself is sophisticated and well-specified, but the user-facing surfaces for configuring it are still maturing. For developers with Auth0-managed authentication and internally generated API keys, the recommended path is building a thin MCP server layer that absorbs the authentication complexity, keeping credentials server-side and presenting Claude with clean, permissioned tool interfaces. This pattern — a secure proxy MCP server — is likely to become a standard architectural primitive as more organizations bring Claude into contact with sensitive internal systems.