> ## Documentation Index
> Fetch the complete documentation index at: https://docs.activeviam.com/llms.txt
> Use this file to discover all available pages before exploring further.

# What is the MCP credentials page?

<Info>
  ### Atoti Intelligence SDK

  This is part of the Atoti Intelligence SDK offer.
</Info>

The MCP credentials page is a built-in browser interface that mints long-lived JWT bearer tokens for use with MCP clients. Instead of embedding a username and password in every MCP client configuration, a signed-in user generates a token once and pastes it into the client. This page is opt-in and disabled by default.

## Prerequisites

Before the MCP credentials page is available, ensure the following conditions are met:

* The Atoti application has a valid AI license
* The `starter-ai-mcp-server` dependency is included in the project
* The `atoti.mcp.credentials.enabled` property is set to `true` (see "How to enable the credentials page" below)

## How to enable the credentials page

The credentials page is disabled by default. To enable it, add the following to the application configuration:

```yaml theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
atoti:
  mcp:
    credentials:
      enabled: true
```

The equivalent environment variable is `ATOTI_MCP_CREDENTIALS_ENABLED=true`.

When this property is absent or set to `false`, no beans for the credentials page load and the `/mcp-credentials/**` path is not handled.

<Warning>
  Enable this feature deliberately. The page allows any authenticated Atoti user to mint long-lived tokens. Review access controls before enabling in production environments.
</Warning>

## Optional configuration

The following property controls the maximum token lifetime a user can request:

| Property                             | Type     | Default | Description                                                                                        |
| ------------------------------------ | -------- | ------- | -------------------------------------------------------------------------------------------------- |
| `atoti.mcp.credentials.max-lifetime` | Duration | `P365D` | Upper bound on the requested expiration date. Requests beyond this limit return `400 Bad Request`. |

Example — restrict token lifetime to 30 days:

```yaml theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
atoti:
  mcp:
    credentials:
      max-lifetime: P30D
```

## How to generate a token

The MCP credentials page is available at `/mcp-credentials` once the property is enabled.

If the session is not authenticated, Spring Security redirects to `/login/index.html?redirectUrl=/mcp-credentials` and returns to the credentials page after a successful login.

To generate a token:

1. Navigate to `/mcp-credentials` in a browser while signed in to the Atoti application.
2. Select an expiration preset: **7 days**, **30 days**, **60 days**, **90 days**, **1 year**, or **Custom date**.
3. For a custom date, select a date within the configured maximum lifetime.
4. Click **Generate token**.
5. Copy the displayed token immediately.

<Warning>
  Atoti does not store the token after it is displayed. If the token is lost, generate a new one.
</Warning>

## How to use the token with an MCP client

Pass the token as a bearer authorization header in the MCP client configuration.

The following example shows how to configure Claude Desktop with a bearer token. Replace `9090` with the application port and `<jwt>` with the generated token:

```json theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
{
  "mcpServers": {
    "my-mcp-server": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "http://localhost:9090/sse",
        "--header",
        "Authorization: Bearer <jwt>",
        "--header",
        "Content-Type: application/json",
        "--header",
        "Accept: text/event-stream",
        "sse-only"
      ]
    }
  }
}
```

The same bearer token can be used in any MCP-compatible client that accepts custom HTTP headers.

## What the token contains

The token is a standard RS512-signed JWT. It contains the following claims:

| Claim         | Description                                     |
| ------------- | ----------------------------------------------- |
| `sub`         | The authenticated user's username               |
| `iss`         | `activeviam`                                    |
| `iat`         | Issued-at timestamp                             |
| `nbf`         | Not-before timestamp                            |
| `exp`         | Expiration timestamp matching the selected date |
| `jti`         | Unique token identifier                         |
| `authorities` | The user's roles at the time of minting         |

## Security considerations

* **Tokens are not persisted.** The server does not store tokens after issuing them. There is no server-side revocation list.
* **Expiration is the only revocation mechanism.** If a token must be invalidated before its expiration date, the only option is to rotate the RSA key used to sign tokens, which invalidates all existing tokens.
* **Losing a token is not recoverable.** Generate a new token from the credentials page.
* **Token authorities are fixed at mint time.** If the user's roles change after the token is minted, the token still carries the original authorities until it expires.
* **The page is opt-in.** It is disabled by default to follow the principle of least privilege.

## Related reading

* [Atoti MCP server setup guide](./atoti-mcp-server-setup) for initial server configuration
* [How to connect with Claude](./connect-with-claude) for Claude Desktop configuration examples
* [How to connect with Postman](./connect-with-postman) for testing with Postman