Authentication
The MCP server accepts two kinds of credentials. Both are bound to a single organization and both act with your role in that organization:
- OAuth — for connector-style clients (Claude Desktop, claude.ai). You add the server by URL and sign in through a Pharus consent page, where you pick the organization to connect; the client then manages its own access token, with nothing to copy or paste. See Connect your agent for the click path.
- Personal access tokens (PATs) — for header-based clients (Claude Code, the API, anything that
sends its own
Authorizationheader). The rest of this page covers PATs.
Creating a token
- In the Pharus web app at stg.app.pharus.ai, open Settings → API Tokens.
- Create a token: give it a name (e.g.
claude-agent), pick the organization it operates on, and optionally an expiry. - Copy the token (
pharus_pat_...) immediately — it is shown once and never again.
How it works
- The token is sent as a standard Bearer header on every MCP request:
Authorization: Bearer pharus_pat_... - Requests without a valid token get
401 Unauthorized— including expired and revoked tokens. - Org binding: every PAT is bound to one organization. All tool calls operate on that organization automatically; you never pass an org ID.
- Role enforcement: the token acts with your role in that organization
(member/admin/owner). Endpoints that require admin (e.g. deleting master data) reject a
member-role token with
403 forbidden— the agent sees a clean tool error, not silent failure.
Good practice
- One token per agent. Name tokens after the agent/integration using them, so revoking one doesn't break another.
- Set an expiry for experiments; long-lived tokens only for production integrations.
- Revoke on suspicion. Revocation is immediate — in-flight agents get
401on their next call. - The token's
last_used_atis tracked, so you can spot stale tokens in Settings → API Tokens.