Security & tokens

How MCP access is scoped, stored and revoked.

#Personal Bearer tokens

  • Tokens are personal: each maps to one user in one organisation, and every MCP action is attributed accordingly.
  • A fresh token is displayed once at creation — sSystm stores only enough to verify it, so it can never be shown again.
  • The token list shows creation time and last-used time; revoke any token instantly from the same page.
  • Name tokens after where they live ("Laptop", "Claude Code") so a leaked one is easy to identify and kill.

#Org scoping

Every tool and resource is org-scoped server-side. Your AI can read your pipeline and write into your component library — and structurally cannot reach any other organisation’s data with your token.

Reads and writes over MCP are real and immediate (they appear in the workspace instantly, attributed). The separate built-in platform agent is different: its actions are staged as pending until a human approves — see Human-in-control.