Skip to main content

Connections

Connections are encrypted credential vaults for upstream MCP servers. Instead of putting real API keys in your code, you create a connection in Igris that stores the credential securely and gives you a clean gateway URL.

How Connections Work

Without connections:
  Your app → real upstream credential in code → MCP server

With connections:
  Your app → Igris API key only → Igris Gateway → injects real credential → MCP server
Benefits:
  • Real credentials never leave Igris — encrypted at rest with AES-256-GCM
  • Rotate credentials instantly without changing any code
  • Revoke access by disabling the connection
  • Full audit trail of every request per connection

Create a Connection

In the dashboard: Governance → Connections → New Connection Or via API: 
curl -X POST https://gateway.igris.dev/api/v1/virtual-keys \
  -H "Authorization: Bearer ig_..." \
  -H "Content-Type: application/json" \
  -d '{
    "slug": "vk_github_prod",
    "name": "GitHub Production",
    "upstreamUrl": "https://mcp.github.com",
    "authType": "bearer",
    "credential": "ghp_your_github_token"
  }'
The credential is encrypted and stored. It will never be returned in any API response.

Use a Connection

With the SDK

const config = igris.getMcpConfig("vk_github_prod", {
  user: "alice@company.com",
  metadata: { role: "developer" },
});

// config.url = "https://gateway.igris.dev/v1/mcp/vk_github_prod"

Direct MCP Client Config

{
  "mcpServers": {
    "github": {
      "url": "https://gateway.igris.dev/v1/mcp/vk_github_prod",
      "headers": {
        "Authorization": "Bearer ig_your_api_key"
      }
    }
  }
}

Credential Injection

When the gateway receives a request, it:
  1. Strips your Igris API key (never forwarded upstream)
  2. Decrypts the connection’s credential
  3. Injects it as Authorization: Bearer <credential> to the upstream server
The upstream server only sees its own credential. Your users only see the Igris API key.

Rotate Credentials

Update a credential without changing any SDK configs: 
curl -X POST https://gateway.igris.dev/api/v1/virtual-keys/vk_github_prod/rotate \
  -H "Authorization: Bearer ig_..." \
  -H "Content-Type: application/json" \
  -d '{ "credential": "ghp_new_token_here" }'
All requests immediately use the new credential. Zero downtime.

Slug Format

Connection slugs must be:
  • Lowercase letters, numbers, underscores, hyphens
  • 3-64 characters
  • Start with a letter or number
Examples: vk_github_prod, slack-mcp, analytics01