Authentication
The MCP server uses the same API tokens as the REST API. Every request carries the token in the Authorization header; each tool checks the token holds the right ability before running.
Mint a token
- Open API tokens.
- Click Create token, name it (e.g. "Claude Code").
- Pick the abilities. Less is more - you can always mint another.
- Copy the value. It's shown once.
Set it in your client config (Authorization: Bearer … for HTTP, AUTH_TOKEN env var for stdio).
Abilities
| Ability | Powers |
|---|---|
forms:read |
List, fetch forms; framework integration catalog |
forms:write |
Create, update, publish, archive, restore |
forms:test-email |
Send test autoresponder / notification emails |
submissions:read |
Read submissions, files, signed URLs, form stats |
submissions:write |
Update, delete, bulk action, mark spam |
submissions:export |
Inline JSON export (up to 500 rows) |
webhooks:read |
List webhooks and deliveries (Pro and above) |
webhooks:write |
Create, update, delete, replay (Pro and above) |
surveys:read |
List, fetch surveys (Pro and above) |
surveys:write |
Create, update, publish, unpublish, delete surveys (Pro and above) |
funnels:read |
List, fetch funnels (Pro and above) |
funnels:write |
Create, update, delete; add screens/blocks; set logic, score, pixels, CAPI (Pro and above) |
funnels:publish |
Publish or unpublish a funnel (Pro and above) |
funnels:analytics |
Funnel analytics and session lists (Pro and above) |
links:read |
List, fetch short links (all plans) |
links:write |
Create, update, delete short links (all plans) |
automations:read |
List automations, runs, run details (all plans) |
automations:write |
Create, update, enable, disable, delete automations (all plans) |
automations:run |
Manually trigger or replay automation runs (all plans) |
billing:read |
Team summary, plan, usage, subscription state |
insights:read |
Read AI insights (Pro and above) |
insights:write |
Trigger regeneration (Pro and above) |
tokens:read |
List your own tokens |
tokens:write |
Mint and revoke tokens (subset of caller's abilities) |
Abilities are independent of plan: you can mint surveys:write on Free, but survey tools are hidden from tools/list and return plan errors if invoked. The in-app setup wizard defaults to every ability except tokens:write.
Plan vs. ability
- Ability - does the token include what the tool needs?
- Plan - does the team's subscription include the product (surveys, funnels, webhooks, AI)? Paid-only tools, resources, and prompts are filtered out of list responses on Free.
- Policy - for mutations, does the user have the dashboard permission?
- Team - does the record belong to the calling team?
Miss any check and the tool refuses (or never appears in the client's tool picker).
Team scoping
Every token is minted in one team. Cross-team lookups return "not found" (not "forbidden") so an agent can't enumerate other teams. Switch teams in the dashboard before minting.
Revocation
Pull a token from API tokens in one click. The next call from the agent fails. No grace period.
Refusal message
Token missing required ability `submissions:write`.
The agent sees this in the tool result and either asks you, or falls back to a tool that's in scope.