Personal Access Tokens (PATs)
Authentication for the MCP server and any HTTP integration that needs to act on behalf of your user.
A Personal Access Token (PAT) is how an external tool authenticates to SendClaw as you. Today the only thing that uses PATs is the MCP server, but the same tokens will eventually back a public REST API.
Create a token
Settings → Developer → Create token.
- Give it a name (e.g. "Claude Desktop", "n8n workflow") so you remember which integration it's for.
- Click Create. The full token is shown once. Copy it now, because we don't store it in a recoverable form.
The token shape is sclw_pat_<22 url-safe chars>. The first 8 chars of the random portion are stored as a prefix hint so you can identify tokens in the list later. Everything else lives only as a SHA-256 hash.
List, revoke, rotate
- The Developer tab shows every active token with its prefix, created date, and last-used timestamp.
- Revoke invalidates the token immediately. Any request using it gets a 401.
- We don't yet support rotation in place. Revoke and create a new one.
Scoping
A PAT is scoped to your user across your active organisation. It can do anything you can do as a member of that org, including:
- List documents, leads, integrations.
- Create documents (via
gate_artifact). - Read leads.
It can't:
- Switch to a different org. The token is tied to whichever org was active when you created it.
- Change billing or org-wide settings (those are org-admin actions; the PAT inherits your member role).
If you belong to multiple orgs, create separate tokens per org.
Using a token
Send it as a Bearer token in the Authorization header:
curl -X POST https://app.sendclaw.io/api/mcp \
-H "Authorization: Bearer sclw_pat_..." \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'A 401 means the token is missing, malformed, or revoked. A 403 means the token is valid but the action isn't allowed for your role.