Closed beta. The MCP Manager Admin API and MCP server are available now to a
limited set of workspaces through the MCP Manager Admin API entitlement
(
ff-mcpm-admin), ahead of general availability. If you don’t see Settings →
MCP & API in your workspace, it isn’t enabled for you yet — ask your MCP Manager
contact to join the beta.Who Am I
Read-only Return the authenticated identity and granted capabilities. Returns the resolved user, organization, team, role, and the capability keys the caller’s role grants — i.e. exactly which configuration actions are permitted. Useful as a first call to confirm authentication and discover available actions. MCP tool:whoami · REST: GET /api/v1/mcpm-admin/whoami · Capability: none — available to any authenticated caller
Parameters: none.
Example
Create Access Token
Create a Personal Access Token for the authenticated user. Mints a new Personal Access Token. The plaintext token is returned once — store it securely; only its SHA-256 hash is persisted. Use it asAuthorization: Bearer <token>. Choose an expiry up to 90 days (the default), or 0 to never expire; revoke anytime. Idempotent by label: if you already have a token with this label, the existing one is returned with alreadyExisted: true and token: null (its secret cannot be re-shown) rather than minting a duplicate — pick a new label if you need a fresh secret.
MCP tool: create_access_token · REST: POST /api/v1/mcpm-admin/tokens · Capability: none — available to any authenticated caller
Parameters
A human-readable name to identify this token later (e.g. “Claude Desktop”, “CI pipeline”).
Days until the token expires (1–90). Omit for the 90-day default; use 0 for a token that never expires.
List Access Tokens
Read-only List the authenticated user’s access tokens. Returns token metadata (label, a recognisable non-secret prefix, last-used time). Secrets are never returned. MCP tool:list_access_tokens · REST: GET /api/v1/mcpm-admin/tokens · Capability: none — available to any authenticated caller
Parameters: none.
Example
Revoke Access Token
Destructive Revoke one of the authenticated user’s access tokens. Soft-deletes the token by id. Scoped to the caller — you cannot revoke another user’s token. MCP tool:revoke_access_token · REST: DELETE /api/v1/mcpm-admin/tokens/:id · Capability: none — available to any authenticated caller
Parameters
The id of the token to revoke (from list_access_tokens).
List Capabilities
Read-only List the full set of MCP Manager capabilities, grouped as in the product. Returns every capability key, grouped as it appears in the product (Identities, Servers, Gateways, Hosts, People, Workspace settings, Logging, Alerting, Reporting, Integrations, and Partner Portal), each with a label and description. Use this to discover the valid capability keys — and what each grants — before building a role’sgrants map with create_role or modify_role. Partner Portal capabilities only apply to partner-type workspaces.
MCP tool: list_capabilities · REST: GET /api/v1/mcpm-admin/capabilities · Capability: none — available to any authenticated caller
Parameters: none.
Example
Further reading
Servers
Where to go next in this section.
Authentication & access
Tokens, the entitlement, capability gating, and error codes for every operation here.
Tool & endpoint reference
The full reference index across every domain.
Capabilities
What each capability named on this page actually allows.

