Security

MCP Authentication

The AmDital MCP server supports two authentication paths: a long-lived API key for developer and automation use, and a short-lived workspace token for user-scoped access. Both are passed as a Bearer token in the Authorization header.

Never share your API key in public repositories, client-side code, or screenshots. Rotate it immediately if exposed.

Path 1 — API key authentication

API keys are the recommended authentication method for MCP connections. They are long-lived, workspace-scoped, and do not expire unless you rotate them manually.

Getting an API key

1Log in to your AmDital workspace.
2Go to Settings → API Keys.
3Click Generate new key and give it a descriptive name (e.g. "MCP — Claude Desktop").
4Copy the key — it is only shown once.
5Store it securely (password manager, secrets manager, or environment variable).

Using the API key in your MCP config

{
  "mcpServers": {
    "amdital": {
      "url": "https://api.amdital.com/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

Replace YOUR_API_KEY with the key you generated above.

Key permissions

API keys inherit the role of the workspace member who created them. An admin key can call all tools. A manager key cannot call workspace-level admin tools. Grant least-privilege where possible.

Role	Allowed tools
owner / admin	All 9 tools
manager	list_*, create_task, create_ticket, create_lead, get_member
employee / contractor	list_projects, create_task, create_ticket
client	create_ticket only

Path 2 — Workspace token (user-scoped)

Workspace tokens are short-lived JWTs issued by the AmDital Supabase auth layer. They are suitable for building custom integrations where the token is obtained at runtime on behalf of a logged-in user.

Obtaining a workspace token

The workspace token is the Supabase JWT access token from the authenticated user session. In a Next.js app using AmDital auth:

// apps/app — server component or API route
import { createServerClient } from '@supabase/ssr'

const supabase = createServerClient(/* ... */)
const { data: { session } } = await supabase.auth.getSession()
const workspaceToken = session?.access_token

Using the token in MCP calls

// Custom MCP client (Python SDK example)
from mcp import Client

async with Client("https://api.amdital.com/mcp",
  headers={"Authorization": f"Bearer {workspace_token}"}
) as client:
  result = await client.call_tool("list_projects",
    {"workspaceId": "your-workspace-id"}
  )

Token lifetime

Workspace tokens expire after 1 hour by default (controlled by your Supabase JWT expiry setting). Your client must refresh the token and reconnect. API keys do not expire — use them for long-running agents and automation.

Choosing an auth method

	API key	Workspace token
Use case	Automation, CI, long-running agents	User-scoped integrations
Lifetime	Until rotated	1 hour (refreshable)
Permissions	Role of creating member	Role of authenticated user
Rotation	Manual (Settings → API Keys)	Automatic via Supabase refresh
MCP clients	Claude Desktop, Cursor, all clients	Custom agents only

Installation guide Tool reference MCP overview