Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.activeviam.com/llms.txt

Use this file to discover all available pages before exploring further.

Atoti Intelligence SDK

This is part of the Atoti Intelligence SDK offer.
The MCP credentials page is a built-in browser interface that mints long-lived JWT bearer tokens for use with MCP clients. Instead of embedding a username and password in every MCP client configuration, a signed-in user generates a token once and pastes it into the client. This page is opt-in and disabled by default.

Prerequisites

Before the MCP credentials page is available, ensure the following conditions are met:
  • The Atoti application has a valid AI license
  • The starter-ai-mcp-server dependency is included in the project
  • The atoti.mcp.credentials.enabled property is set to true (see “How to enable the credentials page” below)

How to enable the credentials page

The credentials page is disabled by default. To enable it, add the following to the application configuration: 
atoti:
  mcp:
    credentials:
      enabled: true
The equivalent environment variable is ATOTI_MCP_CREDENTIALS_ENABLED=true. When this property is absent or set to false, no beans for the credentials page load and the /mcp-credentials/** path is not handled.
Enable this feature deliberately. The page allows any authenticated Atoti user to mint long-lived tokens. Review access controls before enabling in production environments.

Optional configuration

The following property controls the maximum token lifetime a user can request:
PropertyTypeDefaultDescription
atoti.mcp.credentials.max-lifetimeDurationP365DUpper bound on the requested expiration date. Requests beyond this limit return 400 Bad Request.
Example — restrict token lifetime to 30 days: 
atoti:
  mcp:
    credentials:
      max-lifetime: P30D

How to generate a token

The MCP credentials page is available at /mcp-credentials once the property is enabled. If the session is not authenticated, Spring Security redirects to /login/index.html?redirectUrl=/mcp-credentials and returns to the credentials page after a successful login. To generate a token:
  1. Navigate to /mcp-credentials in a browser while signed in to the Atoti application.
  2. Select an expiration preset: 7 days, 30 days, 60 days, 90 days, 1 year, or Custom date.
  3. For a custom date, select a date within the configured maximum lifetime.
  4. Click Generate token.
  5. Copy the displayed token immediately.
Atoti does not store the token after it is displayed. If the token is lost, generate a new one.

How to use the token with an MCP client

Pass the token as a bearer authorization header in the MCP client configuration. The following example shows how to configure Claude Desktop with a bearer token. Replace 9090 with the application port and <jwt> with the generated token: 
{
  "mcpServers": {
    "my-mcp-server": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "http://localhost:9090/sse",
        "--header",
        "Authorization: Bearer <jwt>",
        "--header",
        "Content-Type: application/json",
        "--header",
        "Accept: text/event-stream",
        "sse-only"
      ]
    }
  }
}
The same bearer token can be used in any MCP-compatible client that accepts custom HTTP headers.

What the token contains

The token is a standard RS512-signed JWT. It contains the following claims:
ClaimDescription
subThe authenticated user’s username
issactiveviam
iatIssued-at timestamp
nbfNot-before timestamp
expExpiration timestamp matching the selected date
jtiUnique token identifier
authoritiesThe user’s roles at the time of minting

Security considerations

  • Tokens are not persisted. The server does not store tokens after issuing them. There is no server-side revocation list.
  • Expiration is the only revocation mechanism. If a token must be invalidated before its expiration date, the only option is to rotate the RSA key used to sign tokens, which invalidates all existing tokens.
  • Losing a token is not recoverable. Generate a new token from the credentials page.
  • Token authorities are fixed at mint time. If the user’s roles change after the token is minted, the token still carries the original authorities until it expires.
  • The page is opt-in. It is disabled by default to follow the principle of least privilege.