What is a Scoped Token?

2 min read Updated

A scoped token is a credential issued to a specific person or agent that grants access to a defined subset of resources — in MCP deployments, particular servers and tools — rather than everything the issuer can reach. Scoped tokens are typically time-bound and individually revocable, so access can be narrowed or withdrawn without affecting anyone else.

WHY IT MATTERS

The default failure mode in MCP fleets is the shared credential: one API key for the database server, pasted into every developer's client configuration. Everyone gets the same access, the audit log cannot tell people apart, and revoking the key for one leaver means rotating it for everyone. Scoped tokens replace that with per-person credentials, each carrying its own grant.

A useful scope has several dimensions:

  • Who — the token is bound to a named person or agent, giving every tool call an identity (agent identity).
  • What — which MCP servers, and which tools on those servers, the holder may call; a contractor might get read-only tools on two servers while the platform team gets more.
  • When — an expiry, so stale grants age out instead of accumulating.
  • Revocation — the token can be killed on its own, immediately, without a fleet-wide rotation.

Scoped tokens are the credential-layer expression of least privilege: they shrink the blast radius of a leaked credential or a misbehaving agent from "everything we have connected" to "what this one identity was granted". They pair naturally with policy enforcement — the token establishes who is calling and what they may reach; policy decides what each call may do.

Give every person their own scoped token instead of a shared key — per-person access, per-person audit trail.

ISSUE SCOPED TOKENS →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

Scoped tokens are a core PolicyLayer primitive. Administrators issue a per-person token from the dashboard that grants access to a chosen subset of the fleet's registered MCP servers and tools; the person drops it into their client configuration and routes through the gateway. Every call is then attributed to that individual in the audit trail, policies evaluate against their identity, and revoking the token cuts their access instantly — no shared keys to rotate.

FREQUENTLY ASKED QUESTIONS

How is a scoped token different from a shared API key?
A shared key grants identical, anonymous access to everyone holding it. A scoped token is bound to one person or agent, grants only a defined subset of servers and tools, and can be revoked individually.
What should a scoped token's scope include?
At minimum: which MCP servers and tools the holder may call, who the holder is, and an expiry. Narrower scopes mean a leaked token exposes less.
Do scoped tokens replace policy enforcement?
No — they complement it. The token controls which servers and tools an identity can reach at all; policy evaluates each individual call, including its arguments, against rules.

FURTHER READING

Take your agents live. Without losing control.

Route your MCP traffic through PolicyLayer. Every tool call is checked against your policy before it runs: allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

Instant setup, no code required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.