Token Management

MCP tokens provide secure access to Edsger's MCP API for AI agents, the CLI, and external tools.

Creating a Token

1. Navigate to "MCP" in the sidebar
2. Click "Create Token"
3. Configure the token:
   • Name: Descriptive name for the token
   • Permissions: Select allowed resources
   • Rate Limits: Set request limits

Token Permissions

Configure which resources the token can access:

• Products: Read/write product data
• Features: Manage features and their lifecycle
• User Stories: Create, update, and delete stories
• Test Cases: Manage test cases and their status
• Test Reports: Create and update test reports
• Checklists: Manage checklists and checklist items

Rate Limiting

Protect your resources with rate limits:

Rate limits are enforced at the token level. Exceeding limits returns an error response.

Token Authentication

Tokens are used as bearer tokens in the Authorization header:

Authorization: Bearer YOUR_MCP_TOKEN

Tokens are validated via the validate_mcp_token RPC function, which checks validity, permissions, and rate limits in a single call.

Security Best Practices

Token Storage

• Never commit tokens to version control
• Use environment variables (e.g., EDSGER_MCP_TOKEN)
• Rotate tokens regularly

Minimal Permissions

• Only grant necessary permissions
• Create separate tokens for different use cases (CLI vs. external integrations)
• Revoke unused tokens

Monitoring

• Review access logs regularly (all requests logged to mcp_access_logs)
• Track usage statistics via mcp_usage_stats
• Set up alerts for unusual activity

Revoking Tokens

To revoke a token:

1. Go to MCP settings
2. Find the token
3. Click "Revoke"

Revoked tokens are immediately invalidated. All subsequent requests with the token will be rejected.

Usage Analytics

Track token usage in the MCP dashboard:

• Request count
• Error rate
• Most accessed resources
• Response times