> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcpmanager.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect an agent to the Admin MCP server

> How to create an MCP Manager admin access token and connect an agent or REST client to the admin MCP server: generate a Personal Access Token in Settings → MCP & API, copy the Connect URL, add the server to Claude or Cursor (or call the REST twin with curl), and confirm access with whoami.

This page connects an agent (or a REST client) to the MCP Manager Admin API. By the end you will have an admin access token, the admin MCP server registered in your client, and a successful `whoami` call confirming which capabilities you can exercise.

<Info>
  **Closed beta.** The MCP Manager Admin API and MCP server are available now to a
  limited set of workspaces through the **MCP Manager Admin API** entitlement
  (`ff-mcpm-admin`), ahead of general availability. If you don't see **Settings →
  MCP & API** in your workspace, it isn't enabled for you yet — ask your MCP Manager
  contact to join the beta.
</Info>

## Prerequisites

* Your workspace has the **MCP Manager Admin API** entitlement (`ff-mcpm-admin`). If you don't see **Settings → MCP & API**, it isn't enabled yet — ask your MCP Manager contact to join the beta.
* An MCP-capable client (for example Claude Code or Cursor), or any HTTP client for the REST twin.

## Create an admin access token

An **admin Personal Access Token** authenticates every call to the Admin API. Create one from the app, then copy it into your client. The token secret is shown **once**.

<Steps>
  <Step title="Open the MCP & API settings">
    Go to [MCP & API → Tokens](https://app.mcpmanager.ai/settings/tokens/tokens) and select **Create token**.
  </Step>

  <Step title="Name the token and set an expiry">
    Give the token a **Label** you'll recognise later (for example "Claude Desktop" or "CI pipeline"). Leave **Expires in (days)** blank for the 90-day default, enter a value from **1 to 90**, or enter **0** for a token that never expires.

    <Tip>
      Creating a token is **idempotent by label**: if a valid token with the same label already exists, MCP Manager returns that token's details instead of minting a duplicate — but it cannot re-show the secret. Use a new label when you need a fresh secret.
    </Tip>
  </Step>

  <Step title="Copy the Connect URL and the token">
    The result panel shows two values. Copy the **Connect URL** (your workspace's admin MCP endpoint) and the **Access token** (it starts with `mcpm_pat_`). Store the token in a secret manager now — it will not be viewable again after you close the page.

    <Warning>
      Treat the access token like a password. It carries your full identity and capabilities against the Admin API. If it leaks, revoke it immediately from the same page (**Revoke**).
    </Warning>
  </Step>
</Steps>

## Register the admin MCP server in your client

Add the server to your MCP client using the **Connect URL** as the endpoint and the token as a bearer credential. Replace `<connect-url>` with the Connect URL you copied and `mcpm_pat_...` with your token.

<Tabs>
  <Tab title="Claude Code">
    ```bash terminal theme={null}
    claude mcp add --transport http mcpm-admin <connect-url> \
      --header "Authorization: Bearer mcpm_pat_..."
    ```
  </Tab>

  <Tab title="Cursor">
    Add the server to your `mcp.json`:

    ```json mcp.json theme={null}
    {
      "mcpServers": {
        "mcpm-admin": {
          "url": "<connect-url>",
          "headers": {
            "Authorization": "Bearer mcpm_pat_..."
          }
        }
      }
    }
    ```
  </Tab>

  <Tab title="REST (curl)">
    The REST twin lives under `/api/v1/mcpm-admin` on the same host as your Connect URL. Send the token as a bearer credential:

    ```bash terminal theme={null}
    curl -H "Authorization: Bearer mcpm_pat_..." \
      https://<your-host>/api/v1/mcpm-admin/whoami
    ```
  </Tab>
</Tabs>

The admin MCP server registers under the name **MCP Manager Admin**. Its `initialize` response carries instructions telling the agent to route any "connect X" request **through your gateway** rather than wiring the client straight to the provider, and points the agent at the docs MCP server and `llms.txt` for reference.

## Confirm access with `whoami`

Call the `whoami` tool (or `GET /api/v1/mcpm-admin/whoami`) as your first request. It needs no parameters and no special capability, and it returns your resolved user, organization, team, and role — plus the **capability keys your role grants**, which are exactly the operations you're allowed to perform.

<Check>
  A successful `whoami` response lists your capability keys. Use it to discover what you can do before attempting a gated write — a call you lack the capability for is refused with a `403`.
</Check>

<Tabs>
  <Tab title="MCP tool">
    Ask your agent to call the `whoami` tool, or invoke it directly:

    ```json theme={null}
    {}
    ```
  </Tab>

  <Tab title="REST">
    ```bash terminal theme={null}
    curl -H "Authorization: Bearer mcpm_pat_..." \
      https://<your-host>/api/v1/mcpm-admin/whoami
    ```
  </Tab>
</Tabs>

## Prefer OAuth over a long-lived token?

Interactive MCP clients that support OAuth can connect without a Personal Access Token: the admin server is an OAuth 2.1 protected resource, and a client that discovers it will run the authorization flow and obtain a short-lived bearer automatically. A token minted this way is **audience-bound** to the admin MCP resource, so it can't be replayed against another endpoint. Personal Access Tokens remain the right choice for headless agents and pipelines. See [Authentication & access](/admin-api/authentication) for both paths.

## Further reading

<CardGroup cols={2}>
  <Card title="Authentication & access" icon="shield-halved" href="/admin-api/authentication">
    Token format and lifetime, OAuth audience binding, the entitlement, and capability gating.
  </Card>

  <Card title="Tool & endpoint reference" icon="book" href="/admin-api/reference/overview">
    Every tool and endpoint, grouped by domain, with parameters and required capabilities.
  </Card>

  <Card title="Admin API & MCP overview" icon="terminal" href="/admin-api/overview">
    What the control-plane surface is and how MCP tools and the REST twin relate.
  </Card>

  <Card title="Capabilities" icon="key" href="/deployment/rbac-and-roles/capabilities">
    What each capability `whoami` reports actually allows.
  </Card>
</CardGroup>
