whoami call confirming which capabilities you can exercise.
Closed beta. The MCP Manager Admin API and MCP server are available now to a
limited set of workspaces through the MCP Manager Admin API entitlement
(
ff-mcpm-admin), ahead of general availability. If you don’t see Settings →
MCP & API in your workspace, it isn’t enabled for you yet — ask your MCP Manager
contact to join the beta.Prerequisites
- Your workspace has the MCP Manager Admin API entitlement (
ff-mcpm-admin). If you don’t see Settings → MCP & API, it isn’t enabled yet — ask your MCP Manager contact to join the beta. - An MCP-capable client (for example Claude Code or Cursor), or any HTTP client for the REST twin.
Create an admin access token
An admin Personal Access Token authenticates every call to the Admin API. Create one from the app, then copy it into your client. The token secret is shown once.1
Open the MCP & API settings
Go to MCP & API → Tokens and select Create token.
2
Name the token and set an expiry
Give the token a Label you’ll recognise later (for example “Claude Desktop” or “CI pipeline”). Leave Expires in (days) blank for the 90-day default, enter a value from 1 to 90, or enter 0 for a token that never expires.
3
Copy the Connect URL and the token
The result panel shows two values. Copy the Connect URL (your workspace’s admin MCP endpoint) and the Access token (it starts with
mcpm_pat_). Store the token in a secret manager now — it will not be viewable again after you close the page.Register the admin MCP server in your client
Add the server to your MCP client using the Connect URL as the endpoint and the token as a bearer credential. Replace<connect-url> with the Connect URL you copied and mcpm_pat_... with your token.
- Claude Code
- Cursor
- REST (curl)
terminal
initialize response carries instructions telling the agent to route any “connect X” request through your gateway rather than wiring the client straight to the provider, and points the agent at the docs MCP server and llms.txt for reference.
Confirm access with whoami
Call the whoami tool (or GET /api/v1/mcpm-admin/whoami) as your first request. It needs no parameters and no special capability, and it returns your resolved user, organization, team, and role — plus the capability keys your role grants, which are exactly the operations you’re allowed to perform.
A successful
whoami response lists your capability keys. Use it to discover what you can do before attempting a gated write — a call you lack the capability for is refused with a 403.- MCP tool
- REST
Ask your agent to call the
whoami tool, or invoke it directly:Prefer OAuth over a long-lived token?
Interactive MCP clients that support OAuth can connect without a Personal Access Token: the admin server is an OAuth 2.1 protected resource, and a client that discovers it will run the authorization flow and obtain a short-lived bearer automatically. A token minted this way is audience-bound to the admin MCP resource, so it can’t be replayed against another endpoint. Personal Access Tokens remain the right choice for headless agents and pipelines. See Authentication & access for both paths.Further reading
Authentication & access
Token format and lifetime, OAuth audience binding, the entitlement, and capability gating.
Tool & endpoint reference
Every tool and endpoint, grouped by domain, with parameters and required capabilities.
Admin API & MCP overview
What the control-plane surface is and how MCP tools and the REST twin relate.
Capabilities
What each capability
whoami reports actually allows.
