Moly
SettingsIntegrations

Integrations

Connect Moly to AI assistants like Claude.ai, Cursor, and VS Code via the Model Context Protocol.

Integrations

Moly exposes a Model Context Protocol (MCP) server so AI assistants can read and modify your workspace on your behalf — list tasks, create pages, file comments, walk the project hierarchy, all from the assistant's chat.

There are two ways to connect:

MethodBest forSetup
OAuthSpec-compliant MCP clients with their own UI: Claude.ai, Cursor, VS Code, WindsurfOne-click — the client walks you through Moly login, no token to manage
Personal Access Token (PAT)Headless tools, CLIs, scripts, custom integrationsGenerate a token in Moly, paste into your tool's config

Both methods grant the same access — every MCP tool is available either way. The differences are in how the credential is obtained and managed:

  • OAuth tokens rotate every 15 minutes and refresh automatically through the bridge; revoking a connection kicks the client off everywhere immediately.
  • PATs are long-lived until you rotate them; ideal for cron jobs, deployment scripts, or anything without a browser.

You can have both active at the same time — they don't compete.

Pick the right guide

Managing your connections

Every active OAuth connection appears under Settings → Integrations → Connected MCP clients. From there you can:

  • See which client connected (Claude.ai, Cursor, etc.)
  • See what scopes the client has (read, write, admin)
  • See when it last refreshed its session
  • Disconnect — the client loses access on its next request

PATs are listed and managed separately in the same screen under Personal Access Tokens.

Security model in 30 seconds

  • MCP requests hit https://<your-moly-host>/mcp. The endpoint is rate-limited per credential.
  • OAuth tokens are issued by AWS Cognito (the same identity provider Moly uses for the web app) and bound to the MCP endpoint so they cannot be replayed against other Moly APIs.
  • The MCP server only does what your Moly account can do — workspace permissions and project visibility apply identically whether you act through the web app or through MCP.
  • PATs are SHA-256-hashed at rest; the raw token is shown to you exactly once at creation and never again. Treat them like passwords.
  • Every MCP tool call is audited. You can ask support for an audit trail of what an AI assistant did on your account.

What MCP can and cannot do

The MCP server exposes ~60 tools across tasks, pages, comments, attachments, links, labels, custom fields, cycles, and workspace inspection. It cannot access:

  • Billing / subscription endpoints
  • Account or workspace deletion
  • Other users' private workspaces
  • Anything outside the MCP scope set you granted at connection time (read/write/admin)

For a full tool list, ask your connected client (/list_tasks, etc. — most clients can enumerate available tools).

Custom Fields

Manage custom task fields when enabled

Connect Claude.ai

Add Moly as a custom connector in Claude.ai (web or desktop) to give Claude access to your tasks, pages, and projects.

On this page

IntegrationsPick the right guideManaging your connectionsSecurity model in 30 secondsWhat MCP can and cannot do