Moly
SettingsIntegrations

Personal Access Tokens

Long-lived MCP credentials for headless tools — scripts, CLIs, CI, custom integrations.

Personal Access Tokens

Personal Access Tokens (PATs) authenticate to Moly's MCP server without going through the OAuth browser flow. Use them when:

  • You're writing scripts, CLI wrappers, or cron jobs
  • Your tool doesn't speak OAuth (or you don't want the refresh overhead)
  • You need a credential that lives beyond a 15-minute access-token window

For interactive MCP clients (Claude.ai, Cursor, VS Code), use OAuth instead — it's safer and rotates automatically.

Creating a token

  1. Go to Settings → Integrations → Personal Access Tokens.
  2. Click Create token.
  3. Give it a memorable name (e.g. Claude Code on Laptop, CI deploy script).
  4. Pick an expiry:
    • 7 / 30 / 90 days — recommended for individual use
    • 1 year — recommended for shared CI tokens
    • Never — long-lived, only if you accept the risk
  5. Click Create token.

A dialog shows your new token. Copy it now — Moly never shows it again. If you lose it, revoke and create a new one.

Using a token

The token format is mp_<32-byte-random>. Send it as a Bearer header:

GET /mcp
Authorization: Bearer mp_AbCdEf012345...

For Claude Code / Cursor / VS Code config snippets, see the client-specific guides.

For raw HTTP calls (e.g., curl, custom integrations):

curl -X POST https://api.moly.so/mcp \
  -H "Authorization: Bearer mp_AbCdEf..." \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/list","id":1}'

What a token can do

PATs are scoped to the MCP endpoint only — they cannot authenticate against any other Moly API. Inside MCP, they grant all tool scopes (read, write, admin). If you need narrower access, use OAuth and ask for only the scopes you need.

A PAT acts as your user. Workspace memberships, project permissions, and soft-delete state all apply identically whether you call via the web app, OAuth, or PAT.

Revoking a token

In Moly: Settings → Integrations → Personal Access Tokens → Revoke.

Revocation is immediate — any tool using that token gets a 401 on its next call. There is no grace period.

If you suspect a token has leaked, revoke first, then investigate. Creating a replacement takes 10 seconds.

Best practices

  • One token per workload. Separate PATs per machine / CI job / script make revocation surgical.
  • Set an expiry. Even 1 year is better than never — forces a rotation cadence.
  • Don't check tokens into git. Use environment variables or a secrets manager.
  • Don't put tokens in URLs. Always use the Authorization header.
  • Rotate after team changes. If someone with access to a shared PAT leaves the project, rotate it.

Audit trail

Every MCP call — PAT or OAuth — writes an audit row tagging the credential used (pat_id for PAT, oauth_client_id + jti for OAuth). Workspace admins can request an audit trail of any token's activity from support.

PAT vs OAuth at a glance

PATOAuth
LifetimeUp to forever15 min access / 30 day refresh
SetupPaste into configBrowser redirect
RevokeSettings → Personal Access TokensSettings → Connected MCP clients
Per-deviceOne per device recommendedAutomatic — each client device is its own connection
Audit rowauth_source=pat + pat_idauth_source=oauth + client_id + jti
Best forHeadless tools, CI, scriptsClaude.ai, Cursor, VS Code, Windsurf

Connect Claude Code

Add Moly to the Claude Code CLI using a Personal Access Token for headless tool access.

On this page

Personal Access TokensCreating a tokenUsing a tokenWhat a token can doRevoking a tokenBest practicesAudit trailPAT vs OAuth at a glance