MCP & agents

Permissions scoped per agent.

Every MCP API key is scoped — by workspace, project, and capability. Read-only reviewers, write-access authors, diagram-only workers: granularity is up to you.

Scope tiers

A key has three scope dimensions:

Workspaces — which workspaces the key can see at all.
Projects — within those workspaces, which projects.
Capabilities — what actions the key can perform.

Capability groups

read

List, get, search across all resources.

write.docs

Create, edit, patch documents.

write.diagrams

Generate and update diagrams.

write.plans

Create plans, phases, tasks; set status.

write.improvements

Capture and update improvements.

admin

Manage categories, folders, uploads.

Default to least privilege

A scope-wide admin key is convenient during setup but risky for long-running agents. Rotate to a scoped key once the agent's job is clear.

Managing keys

Open Settings → MCP keys in the app. You'll see every key, its scope, its last use timestamp, and a revoke button. Keys are always revocable without redeploying the agent.

Audit events

Every tool call by an agent is logged with the key label, timestamp, tool name, and input summary. Query logs via the admin dashboard or the audit capability in MCP.

example scopejson

{
  "label": "cursor-on-laptop",
  "workspaces": ["c95d151a-…"],
  "projects": ["767d20f4-…"],
  "capabilities": ["read", "write.docs", "write.diagrams"]
}

Setup & auth

Generate your first key.

Tools reference

Which capability each tool needs.

Client recipes

Paste-ready configs for Claude, Cursor, and more.

Version history

Every agent action is versioned.