Connect with a workspace token Pro
A workspace token works with every MCP client - you paste it into the
Authorization header. Reach for this when your client doesn't support
OAuth, or for headless / CI setups where a browser sign-in
isn't practical. It's the same token the REST API uses.
1Create a token
The workspace owner mints one in Settings → API.
2Add to client
Paste it into the Authorization header.
3Connected
The agent reads your maps.
Create a token
In the dashboard, go to Settings → Workspace →
API tokens and create one (owner-only).
The secret - cnpy_live_… - is shown once, so copy it immediately. See
Authentication for the full
walkthrough.
Add the server
Put the token in the Authorization header as a bearer:
claude mcp add --transport http canopy https://canopy.8starlabs.com/api/mcp \
--header "Authorization: Bearer <your-token>"What it grants
A token is full workspace access
Unlike an OAuth grant, a workspace token is not read-only - it can read and write your maps through the REST API. The MCP server itself only ever reads, but the token you paste in could do more if used elsewhere. Treat it like a password: store it in an environment variable, never commit it, and prefer OAuth when your client supports it.
Revoke access
Open Dashboard → Settings → Workspace →
API, find the token, and Revoke it. It
stops working immediately and everywhere - the next request from any MCP
client or the REST API using that token returns 401. There's nothing to
un-configure on the client side; the token is simply dead.
CI pipeline
cnpy_live_••••a1b2 · Never expires
A workspace can hold only one active token at a time. To rotate, delete the current token, create a new one, and update your client (there's a brief gap while no token is live - schedule rotations accordingly).
For the side-by-side comparison, see Token vs OAuth on the MCP overview.