Docs

Access keys

Workspace-bound keys for direct MCP clients — scopes, expiry, rotation.

Access keys authenticate direct MCP clients (Claude Code, Codex, Cursor, VS Code and similar). ChatGPT and Claude connectors use OAuth instead — see Connect agents.

Properties

  • Keys are bound to one workspace and scoped to skills:read plus skills:write: they can list/pull granted Ready versions and save packages authored in the connected client as Drafts. They can also explicitly inspect and test only Draft versions authored by that key's user.
  • The key value is shown exactly once at creation. Copy it there — the workspace stores only a hash.
  • Keys expire on a schedule you pick when creating them (30, 90 or 180 days).
  • One key works from any MCP client; the workspace records which client used it last so you can tell your connections apart.

Rotation

Rotate a key in place from Agents: the new value is issued immediately and the old value keeps working for 24 hours while you swap configs. Rotation keeps the key's history and connections.

If a key leaks

Rotate it (the old value dies after the grace period) or delete it outright. A leaked key can read the Ready versions its owner can access and create or replace and test that owner's authorized Drafts. It cannot read or test another member's Draft, even if that member is a workspace admin. It still cannot scan, release, submit, approve, grant access, switch workspaces, or edit Ready content, but rotate or revoke it immediately.