Authentication

FinanceDataAPI authenticates MCP requests at the HTTP layer, before any MCP message is processed. That means missing or invalid credentials fail as plain HTTP responses rather than tool-level MCP errors.

Accepted header format

The middleware accepts the API key in the X-API-Key header:

X-API-Key: <YOUR_API_KEY>

What the middleware enforces

Every MCP request runs through the same key/account lifecycle checks used by the REST API:

| Condition | Result | | --- | --- | | Unknown or revoked key | 401 invalid_key / 401 key_invalid | | Disabled API key | 403 key_disabled | | Deleted account | 403 account_deleted | | Disabled account | 403 account_disabled |

Example remote-server config

{
  "url": "https://<your-financedataapi-host>/v1/mcp",
  "headers": {
    "X-API-Key": "<YOUR_API_KEY>"
  }
}

Security notes

• Treat the FinanceDataAPI key exactly like a production API credential.
• Store it in your client config or environment variables, not in prompts, chat history, or source code.
• Rotate the key in the FinanceDataAPI dashboard if it was copied to the wrong place.

Billing and limits

After authentication succeeds, FinanceDataAPI applies:

1. Per-key token-bucket rate limiting
2. Monthly usage quota enforcement
3. Usage logging with labels like MCP list_symbols and MCP run_signals

For tool calls, rate-limit and monthly-quota failures surface as MCP errors with code -32000. The tool pages and troubleshooting section show what to expect.