API & Keys
API Key Naming
Each editor you connect creates an API key named after that editor. Makes the dashboard readable, revocation precise.
The naming convention
Editor you picked Key name in dashboard Example ───────────────────── ────────────────────────── ────────────────── Cursor cursor-<6-hex> cursor-a4f2c1 Claude Code claude-code-<6-hex> claude-code-7b1c9e Claude Desktop claude-desktop-<6-hex> claude-desktop-3f2a8d VS Code vscode-<6-hex> vscode-d8e6b1 Codex codex-<6-hex> codex-1a9f7c OpenCode opencode-<6-hex> opencode-c4b2e8 Windsurf windsurf-<6-hex> windsurf-9d6e4f Zed zed-<6-hex> zed-7e3c1b Warp warp-<6-hex> warp-5a2f8d Gemini CLI gemini-cli-<6-hex> gemini-cli-b8d4e1 Kiro kiro-<6-hex> kiro-3e9c2a Cline cline-<6-hex> cline-f1a7d6 JetBrains jetbrains-<6-hex> jetbrains-2c5b9e Kilo Code kilo-code-<6-hex> kilo-code-8a3d7c Amp amp-<6-hex> amp-4b1e9f Continue continue-<6-hex> continue-d6c2a8 GitHub Copilot CLI copilot-cli-<6-hex> copilot-cli-7e9b3a Factory Droid factory-droid-<6-hex> factory-droid-a4d8c2 Antigravity antigravity-<6-hex> antigravity-5f1e7b TRAE trae-<6-hex> trae-2b9c4e
The 6-char hex suffix is a random ID that prevents collisions when you connect the same editor twice (e.g. one for work laptop, one for personal).
Why per-editor naming matters
1. The dashboard is readable
Without this convention you'd see:
API Keys ────────────────────────── zephex-cli-a4f2c1 ← which editor is this? zephex-cli-7b1c9e ← and this one? zephex-cli-3f2a8d ← I have no idea
With the new convention:
API Keys ────────────────────────── cursor-a4f2c1 ← clearly Cursor claude-code-7b1c9e ← clearly Claude Code claude-desktop-3f2a8d ← clearly Claude Desktop
2. Revocation is precise
You connected Zephex to your work laptop's Cursor and your personal MacBook's VS Code. Your laptop gets stolen. You want to revoke just the work key without breaking the personal setup.
In the dashboard, find cursor-a4f2c1, click revoke. Done. The VS Code key (vscode-d8e6b1) keeps working.
3. Usage tracking per editor
The npx zephex usage --cursor command filters tool calls to just keys named cursor-*. So you can see "how many times Cursor used Zephex this month" vs "how many times Claude Desktop used Zephex this month" — useful for understanding which editor is your primary driver.
The full key format
What a key actually looks like:
mcp_prod_priv-1234.abc123def456ghi789jkl0mnBreakdown:
mcp_prod_priv-1234.abc123def456ghi789jkl0mn
└────┬────┘ └─┬─┘ └─┬─┘ └────────────┬────────────┘
│ │ │ │
│ │ │ └── Random secret (24 chars)
│ │ └── Word-number identifier (incrementing)
│ └── Privacy level (priv = private personal key)
└── Environment prefix (prod = production zephex.dev/mcp)The display name in the dashboard (cursor-a4f2c1) is the label, not the key itself. The full key (mcp_prod_priv-...) is what your editor sends in the Authorization header.
How key creation works
1. You run: npx zephex setup --cursor
│
▼
2. Browser opens: zephex.dev/cli/auth?session=<id>
│
▼
3. You sign in (GitHub or Google)
│
▼
4. Browser sends to backend:
POST /api/cli/complete
{ session_id, jwt, editor: "cursor" }
│
▼
5. Backend looks up editor name:
editor = "cursor" → EDITOR_NAMES["cursor"] = "cursor"
suffix = randomBytes(3).toString("hex") → "a4f2c1"
keyName = "cursor-a4f2c1"
│
▼
6. Backend generates key: mcp_prod_priv-1234.abc...
Hashes with HMAC-SHA256 + salt
Inserts into api_keys with user_defined_name = "cursor-a4f2c1"
│
▼
7. CLI receives the plain key
Writes ~/.cursor/mcp.json with Authorization: Bearer <key>
│
▼
8. Done. Key shows up in dashboard as "cursor-a4f2c1"Editor display name reference
This is the exact mapping the backend uses:
cursor → cursorclaude → claude-codeclaude-desktop → claude-desktopvscode → vscodecodex → codexopencode → opencodewindsurf → windsurfzed → zedwarp → warpgemini → gemini-clikiro → kirocline → clinejetbrains → jetbrainskilo → kilo-codeamp → ampcontinue → continuecopilot → copilot-clidroid → factory-droidantigravity → antigravitytrae → traeFAQ
Can I rename an existing key?
Yes — go to zephex.dev/dashboard/keys, click the key, edit the name. The change reflects immediately.
What if I connect the same editor twice?
Each setup creates a new key with a new random suffix. So you might have cursor-a4f2c1 AND cursor-9d8e1f if you ran setup twice. Both work. Use npx zephex keys to see them all.
Why don't keys include my email or username?
Privacy. Key names are visible to you in the dashboard but never embedded with personal info. The 6-hex suffix is enough to disambiguate without leaking identifying data.
Old keys still say zephex-cli-cursor. Will they break?
No. Old key names keep working forever. Only newly created keys (after the v2.3.0 update) use the new naming. To rename an old one, edit it in the dashboard.
Can I use my own naming scheme?
Yes — after setup, edit the key name in the dashboard. The CLI doesn't care about the name; only the key itself matters for authentication.
Where to next
- Architecture — how everything connects
- API Key Management — create, revoke, rotate
- CLI Commands — including
zephex keysandzephex usage