Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.mcpmanager.ai/llms.txt

Use this file to discover all available pages before exploring further.

Interactive apps like Claude connect to a gateway through OAuth and appear automatically. Headless agents — code with no human at a browser — connect with an API access token instead. This page covers how to create a token-based host for an agent, generate and revoke its tokens, manage its connections, and cut access instantly with break-glass controls. For the advanced pattern where one agent carries each end user’s own identity through to downstream servers, see Agents that Pass Identities to MCP Manager.
Creating token-based hosts and generating tokens is gated by the Create and manage API tokens capability; cutting access uses Disable and enable connections and Disable and enable hosts. If you don’t see these controls, your role doesn’t have the capability — access depends on the capability, not on any fixed role name. See the capabilities reference.

Headed apps versus headless agents

A client is tracked in MCP Manager as a host, and how it connects determines how you set it up:
  • Headed apps (OAuth). Interactive clients connect through an OAuth flow and appear automatically the first time someone connects one — nothing to register in advance, and the connecting user’s identity rides in their OAuth token.
  • Headless agents (token-based). An agent with no interactive sign-in connects with an API access token. You create a token-based host to represent the agent and generate a token for it to present on each call.

Create a token-based host and generate a token

1

Create the token-based host

In Apps & Agents, create a token-based host and name it for the agent (for example, “Feedback bot”). You do this once, as an administrator.
2

Start the connection and choose the gateway

Generate an API access token for the host and select the gateway it should reach. You’re taken through the same authorization flow as any connection — confirming the gateway and bringing an identity for each per-user server (see Connection Experience).
3

Copy or download the token

On completion MCP Manager issues the API access token. Copy or download it now — it is shown once — and place it in the agent’s secret store. The token is scoped to that host and its connection to the chosen gateway, so it only reaches the servers that gateway exposes.

Revoking and rotating tokens

Revocation is immediate. Revoke a token by deleting it or disabling its host; to rotate, generate a new token and update the agent, then remove the old one. Because the token is bound to a specific host and gateway connection, revoking it stops only that agent’s access — nothing else is affected.

Managing connections

Each connection is the intersection of a specific host, a specific gateway, and a specific user. From a gateway’s Connections tab you can see every connection and disable or enable any one of them, cutting or restoring that single link without touching the host’s other connections.

Break-glass: cut access instantly

Every layer of a connection carries an enabled toggle that is checked on every request, with no caching, so disabling one takes effect at once and nothing is deleted in the meantime:
  • Disable a host to block an entire app or agent.
  • Disable a connection to sever one host-to-gateway link.
  • Disable an identity, a server, or a whole gateway to stop traffic at that scope.
Re-enabling restores access immediately. This is the control you reach for during an incident, an offboarding, or when a vetted agent starts misbehaving — one toggle, effective on the next call.

Carrying each user’s identity through an agent

A single token-based host can serve many end users while still using each user’s own downstream credential: every user enrolls once and brings their identity, MCP Manager mints them a per-user token, and the agent presents the right user’s token on each call so the downstream server acts as the real person — fully governed and logged. This advanced pattern, including the runtime sequence, is documented in Agents that Pass Identities to MCP Manager.

Further reading

Apps & Agents

How clients are tracked as hosts and how administrators allow or disable them.

Agents passing identities

One agent, many users, each acting as themselves through per-user tokens.

Connection Experience

The shared authorization flow that token-based hosts use to connect.

Authentication & Identity

How credentials are stored, refreshed, and revoked behind every token.