Connect with a token

Connect with a workspace token Pro

A workspace token works with every MCP client - you paste it into the Authorization header. Reach for this when your client doesn't support OAuth, or for headless / CI setups where a browser sign-in isn't practical. It's the same token the REST API uses.

1Create a token

The workspace owner mints one in Settings → API.

2Add to client

Paste it into the Authorization header.

3Connected

The agent reads your maps.

create a token, paste it, connect - revoke anytime

Create a token

In the dashboard, go to Settings → Workspace → API tokens and create one (owner-only). The secret - cnpy_live_… - is shown once, so copy it immediately. See Authentication for the full walkthrough.

Add the server

Put the token in the Authorization header as a bearer:

claude mcp add --transport http canopy https://canopy.8starlabs.com/api/mcp \
  --header "Authorization: Bearer <your-token>"

What it grants

A token is full workspace access

Unlike an OAuth grant, a workspace token is not read-only - it can read and write your maps through the REST API. The MCP server itself only ever reads, but the token you paste in could do more if used elsewhere. Treat it like a password: store it in an environment variable, never commit it, and prefer OAuth when your client supports it.

Scopethe whole workspace (read + write via REST; read-only via MCP)
Who can createthe workspace owner only
PlanPro
Limitup to 10 active tokens per workspace
Lifetimeuntil it expires (you choose) or you revoke it

Revoke access

Open Dashboard → Settings → Workspace → API, find the token, and Revoke it. It stops working immediately and everywhere - the next request from any MCP client or the REST API using that token returns 401. There's nothing to un-configure on the client side; the token is simply dead.

Settings → Workspace → API

CI pipeline

cnpy_live_••••a1b2 · Never expires

Revoke
revoke kills REST + MCP instantly

A workspace can hold only one active token at a time. To rotate, delete the current token, create a new one, and update your client (there's a brief gap while no token is live - schedule rotations accordingly).

For the side-by-side comparison, see Token vs OAuth on the MCP overview.

to paste into any AI.

Ask ChatGPT about this page.

Ask Claude about this page.

Need help? Sign in to chat with support

Have ideas?

General inquiry? Email support.