> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcpmanager.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Account & Access Tokens

> Admin API operations for confirming who you are and what your role permits, and for creating, listing, and revoking your own MCP Manager admin Personal Access Tokens.

These operations confirm your identity and capabilities and manage your own admin access tokens. They are available to any authenticated caller — no extra capability is required.

<Info>
  **Closed beta.** The MCP Manager Admin API and MCP server are available now to a
  limited set of workspaces through the **MCP Manager Admin API** entitlement
  (`ff-mcpm-admin`), ahead of general availability. If you don't see **Settings →
  MCP & API** in your workspace, it isn't enabled for you yet — ask your MCP Manager
  contact to join the beta.
</Info>

## Who Am I

<Badge color="green">Read-only</Badge>

Return the authenticated identity and granted capabilities.

Returns the resolved user, organization, team, role, and the capability keys the caller's role grants — i.e. exactly which configuration actions are permitted. Useful as a first call to confirm authentication and discover available actions.

**MCP tool:** `whoami` · **REST:** `GET /api/v1/mcpm-admin/whoami` · **Capability:** none — available to any authenticated caller

**Parameters:** none.

**Example**

```json theme={null}
{}
```

## Create Access Token

Create a Personal Access Token for the authenticated user.

Mints a new Personal Access Token. The plaintext token is returned **once** — store it securely; only its SHA-256 hash is persisted. Use it as `Authorization: Bearer <token>`. Choose an expiry up to 90 days (the default), or 0 to never expire; revoke anytime. Idempotent by label: if you already have a token with this label, the existing one is returned with `alreadyExisted: true` and `token: null` (its secret cannot be re-shown) rather than minting a duplicate — pick a new label if you need a fresh secret.

**MCP tool:** `create_access_token` · **REST:** `POST /api/v1/mcpm-admin/tokens` · **Capability:** none — available to any authenticated caller

**Parameters**

<ParamField body="displayLabel" type="string" required>
  A human-readable name to identify this token later (e.g. "Claude Desktop", "CI pipeline").
</ParamField>

<ParamField body="expiresInDays" type="integer">
  Days until the token expires (1–90). Omit for the 90-day default; use 0 for a token that never expires.
</ParamField>

**Example**

```json theme={null}
{"displayLabel":"CI pipeline"}
```

## List Access Tokens

<Badge color="green">Read-only</Badge>

List the authenticated user's access tokens.

Returns token metadata (label, a recognisable non-secret prefix, last-used time). Secrets are never returned.

**MCP tool:** `list_access_tokens` · **REST:** `GET /api/v1/mcpm-admin/tokens` · **Capability:** none — available to any authenticated caller

**Parameters:** none.

**Example**

```json theme={null}
{}
```

## Revoke Access Token

<Badge color="red">Destructive</Badge>

Revoke one of the authenticated user's access tokens.

Soft-deletes the token by id. Scoped to the caller — you cannot revoke another user's token.

**MCP tool:** `revoke_access_token` · **REST:** `DELETE /api/v1/mcpm-admin/tokens/:id` · **Capability:** none — available to any authenticated caller

**Parameters**

<ParamField path="id" type="string" required>
  The id of the token to revoke (from list\_access\_tokens).
</ParamField>

**Example**

```json theme={null}
{"id":"CAT-..."}
```

## List Capabilities

<Badge color="green">Read-only</Badge>

List the full set of MCP Manager capabilities, grouped as in the product.

Returns every capability key, grouped as it appears in the product (Identities, Servers, Gateways, Hosts, People, Workspace settings, Logging, Alerting, Reporting, Integrations, and Partner Portal), each with a label and description. Use this to discover the valid capability keys — and what each grants — before building a role's `grants` map with create\_role or modify\_role. Partner Portal capabilities only apply to partner-type workspaces.

**MCP tool:** `list_capabilities` · **REST:** `GET /api/v1/mcpm-admin/capabilities` · **Capability:** none — available to any authenticated caller

**Parameters:** none.

**Example**

```json theme={null}
{}
```

## Further reading

<CardGroup cols={2}>
  <Card title="Servers" icon="arrow-right" href="/admin-api/reference/servers">
    Where to go next in this section.
  </Card>

  <Card title="Authentication & access" icon="shield-halved" href="/admin-api/authentication">
    Tokens, the entitlement, capability gating, and error codes for every operation here.
  </Card>

  <Card title="Tool & endpoint reference" icon="book" href="/admin-api/reference/overview">
    The full reference index across every domain.
  </Card>

  <Card title="Capabilities" icon="key" href="/deployment/rbac-and-roles/capabilities">
    What each capability named on this page actually allows.
  </Card>
</CardGroup>
