AAgency MCP
Dashboard Permissions Pending Actions Documentation Support
Privacy Terms
AI tools can make mistakes. Always grant the minimum scope to reduce risk. Your working data isn't used to train our models.

Bearer tokens

A bearer token is a per-tenant credential your AI client uses to authenticate with Agency MCP. Think of it as a key: whoever holds the key can make tool calls against your GHL account, subject to whatever constraints you set on that key.


Creating a bearer

From your dashboard at https://agency-mcp.launchmaniac.com/app:

Step 1. Click + Add bearer.

Step 2. Give it a name that identifies the device or client it belongs to — for example, Cursor on MacBook Pro or Claude Desktop — work machine.

Step 3. Optionally set a safety mode (see below).

Step 4. Click Create. The plaintext token is shown once. Copy it and store it in your AI client's config file or password manager.

We store only a one-way hash of the token. We cannot recover the original if you lose it. If that happens, create a new bearer and revoke the old one.


The safety mode kill switch

When you create a bearer, you can cap what it's allowed to do:

If you do not set a safety mode, the bearer defaults to full access — it can do anything your GHL OAuth grant allows.

Recommended defaults:

Use caseSuggested mode
Exploring tools, reading reportsRead-only
Day-to-day agent operationNo-delete
Explicit bulk-delete or cleanup workflowsFull access

Revoking a bearer

From your dashboard, find the bearer in the list and click Revoke. Revocation is immediate. The next request from that bearer is rejected with a 401 Unauthorized response. There is no grace period.


Auditing with last_used_at

Each bearer row shows a last used timestamp next to its name. Use this to spot bearers you have forgotten about or that belong to devices you no longer use. If a bearer has not been used in several months and you do not recognize it, revoke it.


Best practices