🔐Enabling API Key Authentication for Logic Apps MCP Servers

We previously announced support for building Logic Apps MCP servers. This capability comes in a couple forms including via the wizard hosted in API Center and through manual configurations inside an existing Logic App. 

When we initially shipped this feature, we offered two authentication options:

• OAuth2 (default)
• Anonymous (opt-in)

Based upon customer feedback and the need for greater interoperability with non-Microsoft agent frameworks we have enabled API Key authentication. API Key authentication now becomes part of the default security configuration, which means when you use API Center (or AI Foundry) to generate an MCP Server, we will setup OAuth and API Key by default.

How can I configure my authentication settings?

In our product documentation, we discuss the role of host.json and that becomes a key configuration to enable a Logic App as an MCP server. We have recently introduced an authentication node which includes a type property. Within this property there are 3 valid options that can be used:

• OAuth2
• ApiKey
• Anonymous

By default, you won't see a type property in host.json and that means that you have the default settings which include OAuth2 and ApiKey. If you explicitly add one of these values, only that authentication scheme will be implemented.

{ "version": "2.0", "extensionBundle": { "id": "Microsoft.Azure.Functions.ExtensionBundle.Workflows", "version": "[1.*, 2.0.0)" }, "extensions": { "workflow": { "McpServerEndpoints": { "enable": true, "authentication": { "type": "ApiKey" } } } } }

Note: We will be adding a user experience around accessing key information, but for now, you can access this information by calling our backend APIs.

Pre-requisites

In order to connect to the related APIs, we will need a Bearer token that can be used to authenticate our request. A simple way to obtain this token is to log into the Azure Portal and then open up a Cloud Shell session. 

Issue the following command: az account get-access-token --resource https://management.azure.com/

You will see a response that includes an 'accessToken'. Copy this value.

Retrieving API Key

To obtain an API key, use your favorite REST client and call the following endpoint with the query parameter getApikey=true:

REST Endpoint: POST /listMcpServers

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{RGName}/providers/Microsoft.Web/sites/{LAName}/hostruntime/runtime/webhooks/workflow/api/management/listMcpServers?api-version=2021-02-01&getApikey=true

You should receive a response that includes all MCP Servers for that Logic App, related tools and a value of X-API-Key. This will be the key that you can use to connect to your MCP Server. 

Note:  The API Keys that are available, both primary and secondary, apply to the entire Logic App and not individual MCP Servers

If you prefer using a CLI, you can alternatively issue this command instead:

az rest --method post --url https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{RGName}/providers/Microsoft.Web/sites/{LAName}/hostruntime/runtime/webhooks/workflow/api/management/listMcpServers?api-version=2021-02-01&getApikey=true

Note: Providing a request body is not required unless you want some additional control over the behavior of the API. For example, you have the ability to control whether you are interested in the primary or secondary key and notAfter when dealing with expiry dates.

{

    "keyType": "primary", // Optional: "primary" or "secondary". Defaults to "primary" if not provided.

    "notAfter": "2026-09-04T10:04:24Z" // Optional: UTC timestamp for API Key expiry. Defaults to 24 hours if not provided.

}

Tools

As you may have noticed, one of the benefits of using the listMCPServers API is that it will also display any of the preconfigured tools for an MCP Server. This is a good way to discover what tools are available in the MCP Server.

Regenerating API Key

To regenerate an API key, we do have a different API that we can call to accomplish this.

Endpoint: POST /regenerateMcpServerAccessKey

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{RGName}/providers/Microsoft.Web/sites/{LAName}/hostruntime/runtime/webhooks/workflow/api/management/regenerateMcpServerAccessKey?api-version=2021-02-01 

CLI: Alternatively, if you have CLI installed, then you can use this command:

az rest --method post --url https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{RGName}/providers/Microsoft.Web/sites/{LAName}/hostruntime/runtime/webhooks/workflow/api/management/regenerateMcpServerAccessKey?api-version=2021-02-01

When making these calls, we do need to ensure that we provide a keyType in our request body.

{

"keyType": "primary" // Required: "primary" or "secondary"

}

When you make this call you will receive a 200 OK HTTP response. To access the new key value, call the listMcpServee API that we previously discussed in this article.

Usage

You can use the API Key MCP Server authentication from any MCP client that supports it. We have recently introduced Agent Loop support for MCP Servers so we can use that here. With our URL, APIKey we can configure connection to call our MCP Server using API Key. 

Start by building a Conversational Agent (this will also work with autonomous agents as well) and click Add an MCP server (preview).

Click on Add MCP Server

Add a new connection and select Key as your Authentication Type. From there, insert your MCP Server URL and Key. For the Key Header Name provide a value of X-API-KEY.

Save and run your agent. 

Demo

To see a demo of how to setup API Key authentication, please see the following video