# Authentication
The MCP server authenticates using your space.vars.ionos\_cloud\_api token and, for space.vars.ionos\_cloud\_object\_storage tools, your Object Storage credentials.
## API token
`IONOS_TOKEN` is required for all tools. It authenticates requests to the [Compute Engine](https://docs.ionos.com/cloud/compute-services/compute-engine), [Cloud DNS](https://docs.ionos.com/cloud/network-services/cloud-dns), [Billing](https://docs.ionos.com/cloud/management/usage/cost-and-usage), [Certificate Manager](https://docs.ionos.com/cloud/security/certificate-manager), and [Object Storage](https://docs.ionos.com/cloud/backup-and-storage/ionos-object-storage) management APIs.
**To generate an API token:**
{% stepper %}
{% step %}
### Log in to the DCD and go to Token Management
Log in to the [DCD](https://dcd.ionos.com/) and navigate to **Management** > **Token Management**.
{% endstep %}
{% step %}
### Generate and copy the token
Select **Generate Token**, set an expiry, and copy the token value.
Set an expiry that matches your use case: 24 hours for one-off queries, 7–30 days for persistent AI client setups, or longer for automated workflows. If the token expires during a session, tool calls will fail with authentication errors. Update the token in your configuration and restart the AI client. For more information, see [FAQ](/cloud/ai/mcp-server/faq.md#what-happens-if-my-token-expires-during-a-session).
{% endstep %}
{% endstepper %}
Pass the token in your MCP client configuration:
```json
{
"mcpServers": {
"ionoscloud": {
"command": "/path/to/ionoscloud-mcp",
"env": {
"IONOS_TOKEN": "your-api-token"
}
}
}
}
```
## IONOS CLOUD Object Storage credentials
Object Storage data-plane tools (listing objects, reading bucket configuration, and checking access keys) require Object Storage credentials in addition to `IONOS_TOKEN`.
**To generate Object Storage credentials:**
{% stepper %}
{% step %}
### Log in to the DCD and go to Access Keys
Log in to the [DCD](https://dcd.ionos.com/) and navigate to **Object Storage** > **Access Keys**.
{% endstep %}
{% step %}
### Generate and copy the credentials
Select **Generate Key** and copy the access key and secret key.
{% endstep %}
{% endstepper %}
Add the credentials to your MCP client configuration:
```json
{
"mcpServers": {
"ionoscloud": {
"command": "/path/to/ionoscloud-mcp",
"env": {
"IONOS_TOKEN": "your-api-token",
"IONOS_S3_ACCESS_KEY": "your-access-key",
"IONOS_S3_SECRET_KEY": "your-secret-key"
}
}
}
}
```
{% hint style="warning" %}
**Warning:** Never commit your API token or Object Storage credentials to version control. Use your operating system keychain or a secrets manager to store them securely.
{% endhint %}
## Security best practices
* Use a dedicated token for the MCP server rather than your primary account token.
* Restrict the token to read-only permissions where your space.vars.ionos\_cloud account allows it.
* If you use a sub-user account, ensure the token has read access to each product you intend to query. Tokens with restricted scope return empty results or errors for out-of-scope resources.
* On macOS and Linux, restrict access to your configuration file after saving credentials:
```bash
chmod 600 ~/Library/Application\ Support/Claude/claude_desktop_config.json
```
## Token scope by product area
Use the table below to set minimum-privilege permissions when creating a dedicated MCP token. All operations are read-only in this release.
| Product | Permission required | Tools covered |
| --------------------------------------- | ------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- |
| Compute Engine | Read access to Virtual Data Centers | All Compute Engine tools (50) |
| IONOS CLOUD Object Storage | Read access to Object Storage (management API) | Bucket listing, bucket configuration tools |
| IONOS CLOUD Object Storage (data-plane) | Object Storage access key + secret key (`IONOS_S3_ACCESS_KEY`, `IONOS_S3_SECRET_KEY`) | Object listing, object metadata, versioning |
| Cloud DNS | Read access to DNS | All DNS tools (14) |
| Billing | Read access to Billing / Usage | All Billing tools (15, including `get_billing_focus_spec` which needs no IONOS privilege) |
| Certificate Manager | Read access to Certificate Manager | All Certificate Manager tools (6) |
| Activity Log | `ACCESS_ACTIVITY_LOG` privilege on the token | All Activity Log tools (2) |
For the narrowest possible scope, create a sub-user with access only to the products you intend to query and generate the token under that sub-user.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ionos.com/cloud/ai/mcp-server/configuration/authentication.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.