Bearer tokens
A bearer token is a per-tenant credential your AI client uses to authenticate with Agency MCP. Think of it as a key: whoever holds the key can make tool calls against your GHL account, subject to whatever constraints you set on that key.
Creating a bearer
From your dashboard at https://agency-mcp.launchmaniac.com/app:
Step 1. Click + Add bearer.
Step 2. Give it a name that identifies the device or client it belongs to — for example, Cursor on MacBook Pro or Claude Desktop — work machine.
Step 3. Optionally set a safety mode (see below).
Step 4. Click Create. The plaintext token is shown once. Copy it and store it in your AI client's config file or password manager.
We store only a one-way hash of the token. We cannot recover the original if you lose it. If that happens, create a new bearer and revoke the old one.
The safety mode kill switch
When you create a bearer, you can cap what it's allowed to do:
- Read-only — the bearer can only call read-only tools. Any tool that writes, updates, or deletes a GHL record is rejected, regardless of what the AI asks for.
- No-delete — the bearer can read and write, but cannot perform destructive operations (bulk deletes, irreversible changes).
- Full access — no restrictions beyond your GHL OAuth scopes. Use this only for cleanup workflows where you need full range of action.
If you do not set a safety mode, the bearer defaults to full access — it can do anything your GHL OAuth grant allows.
Recommended defaults:
| Use case | Suggested mode |
| Exploring tools, reading reports | Read-only |
| Day-to-day agent operation | No-delete |
| Explicit bulk-delete or cleanup workflows | Full access |
Revoking a bearer
From your dashboard, find the bearer in the list and click Revoke. Revocation is immediate. The next request from that bearer is rejected with a 401 Unauthorized response. There is no grace period.
Auditing with last_used_at
Each bearer row shows a last used timestamp next to its name. Use this to spot bearers you have forgotten about or that belong to devices you no longer use. If a bearer has not been used in several months and you do not recognize it, revoke it.
Best practices
- One bearer per AI client per device. If you install Claude Desktop on two machines, give each its own bearer. This makes it easy to revoke one without affecting the other.
- Do not share a bearer across operators. A bearer is scoped to your agency tenant, not to an individual person, but sharing credentials across people makes auditing and revocation harder.
- Use descriptive names.
bearer-1is not useful six months later.Cursor — office iMacis. - Revoke what you do not use. Unused bearers are unnecessary attack surface. Keep the list short.
- Narrow the permission set when possible. Beyond safety mode, you can restrict each bearer to a subset of GHL scopes via the Permissions tab. A bearer dedicated to inbox triage has no business with billing or pipeline tools — turn those scopes off and the AI cannot call them by mistake. See Scope permissions for the walkthrough.