API tokens

What tokens are for

API tokens are personal access tokens scoped to your Audito account. Today they exist for one reason: authenticating the MCP server when Claude Code (or any other MCP client) talks to Audito on your behalf. There's no programmatic REST API yet — the MCP is the only consumer.

Tokens carry your identity, not the workspace's. Anything you can do in the dashboard (read your libraries, triage your findings, edit your dependencies), the token can do too. Anything you can't do — like reading another user's data — Postgres RLS blocks at the database level, regardless of the token.

Mint a token

1. Go to /dashboard/settings/api-tokens.
2. Click New token and give it a label (claude-laptop, mcp-vercel, …) so future-you knows what to revoke.
3. Audito generates a token prefixed audt_ and shows it once. Copy it into your password manager or directly into the MCP client config — there is no "show again" path.

Security model

• Hashed at rest. Only the SHA-256 hash of the token is stored. Audito cannot show you a token after creation; if you lose it, mint a new one and delete the old.
• Per-user. Tokens always carry the user's Clerk identity (and current org id, when one is active). When the MCP server validates a token, it mints a short-lived Supabase JWT carrying that identity, and every query runs through Postgres with RLS enforcing what the user can see — exactly like the dashboard.
• Revocable. Delete a token from the settings page and it stops working immediately. Revoked tokens can't be un-revoked.
• No expiry today. Treat tokens like long-lived credentials and rotate them when laptops change hands.

Where the token gets used

Pass the token in the Authorization: Bearer audt_… header when configuring the MCP server. See MCP setup for the full Claude Code wiring.

If you accidentally publish a token (committed it, posted it in a chat), revoke it from the settings page and mint a new one. The old token's hash stays in api_tokens as a tombstone, so abuse can be traced if needed.