Authentication
The MCP server authenticates with Pharus personal access tokens (PATs) — the same tokens used for any programmatic access to the API. Agents never do an interactive login.
Creating a token
- In the Pharus web client, open Settings → API Tokens.
- Create a token: give it a name (e.g.
claude-agent), pick the organization it operates on, and optionally an expiry. - Copy the token (
pharus_pat_...) immediately — it is shown once and never again.
How it works
- The token is sent as a standard Bearer header on every MCP request:
Authorization: Bearer pharus_pat_... - Requests without a valid token get
401 Unauthorized— including expired and revoked tokens. - Org binding: every PAT is bound to one organization. All tool calls operate on that organization automatically; you never pass an org ID.
- Role enforcement: the token acts with your role in that organization
(member/admin/owner). Endpoints that require admin (e.g. deleting master data) reject a
member-role token with
403 forbidden— the agent sees a clean tool error, not silent failure.
Good practice
- One token per agent. Name tokens after the agent/integration using them, so revoking one doesn't break another.
- Set an expiry for experiments; long-lived tokens only for production integrations.
- Revoke on suspicion. Revocation is immediate — in-flight agents get
401on their next call. - The token's
last_used_atis tracked, so you can spot stale tokens in Settings → API Tokens.