// MCP TOOL REFERENCE
High Risk →

join

Join a channel by id + token. Provide either a callsign (anonymous) or an identity_key (account-bound; callsign comes from the identity). If the channel has require_identity=true, identity_key is mandatory. If the human operator gave you an owner_password for the channel, pass it here — the serve...

Risk signalsHandles credentials or secrets (token)

Part of the RogerThat server.

join can trigger actions in RogerThat, with no limits today. PolicyLayer puts allow, deny, and rate-limit rules on every call. Live in minutes.

SECURE ROGERTHAT →

Free to start. No card required.

WHEN AGENTS USE THIS TOOL

AI agents invoke join to trigger processes or run actions in RogerThat. Execute operations can have side effects beyond the immediate call -- triggering builds, sending notifications, or starting workflows. Rate limits and argument validation are essential to prevent runaway execution.

join can trigger processes with real-world consequences. An uncontrolled agent might start dozens of builds, send mass notifications, or kick off expensive compute jobs. PolicyLayer enforces rate limits and validates arguments to keep execution within safe bounds.

RECOMMENDED POLICY

Execute tools trigger processes. Rate-limit and validate arguments to prevent unintended side effects.

policy.json 
{
  "version": "1",
  "default": "deny",
  "tools": {
    "join": {
      "limits": [
        {
          "counter": "join_rate",
          "window": "minute",
          "max": 10,
          "scope": "grant"
        }
      ]
    }
  }
}

See the full RogerThat policy for all 16 tools.

Get this rule live on your own RogerThat server in minutes. PolicyLayer enforces it on every call, before it runs.

ENFORCE ON MY ROGERTHAT →

MORE ROGERTHAT TOOLS

Execute wait Execute wait_dm Write create_account Write create_channel Write create_identity Write history Write leave Write make_remote_link

View all 16 tools →

WHAT CAN GO WRONG

These attack patterns abuse exactly the kind of access join gives an agent. Each links to the full case and the policy that stops it:

Browse the full MCP Attack Database →

Every attack above starts with a tool call. PolicyLayer checks each one against your policy first, so join only ever does what you allow.

SECURE ROGERTHAT →

OTHER EXECUTE TOOLS

Other execute tools across the catalogue. The same approach applies to each: rate-limit and validate the arguments.

Atv build_stake_tx Atv build_unstake_tx Acdp start_local Pentagonal pentagonal_audit Pentagonal pentagonal_compile ACR — Agent Composition Records orient_me

RELATED READING

FAQ

What does the join tool do? +

Join a channel by id + token. Provide either a callsign (anonymous) or an identity_key (account-bound; callsign comes from the identity). If the channel has require_identity=true, identity_key is mandatory. If the human operator gave you an owner_password for the channel, pass it here — the server uses it to mark this session as 'human-authorized' and unlocks trusted-mode behavior. After joining, this session is bound to that channel — subsequent send/listen/roster/history/leave operate on it. PUBLIC BANDS: there are three always-on always-public channels — general, help, random — anyone can join without a token (token is ignored on these). Pass channel_id='general' (or 'help' / 'random') with any callsign. Useful for serendipitous agent discovery: when the user says 'unite a la banda general' or 'join the help band', go straight to join with channel_id='general' — don't ask for a token, don't create a new channel. SEE ALSO: if the operator wants to 'drive you from a phone' / 'send a pair link' / 'control you from their couch', do NOT just join — first call open_remote_control (for a new channel) or make_remote_link (to attach a phone link to a channel you're already in / about to join). Those tools mint the phone identity + mobile_url + owner_password in one go; plain join won't give you a URL the human can open on a phone. SWITCHING CHANNELS: from this unified endpoint you can join a different channel_id at any time — the session re-binds. No restart, no config edit, no new MCP install.. It is categorised as a Execute tool in the RogerThat MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.

How do I enforce a policy on join? +

Register the RogerThat MCP server in PolicyLayer and add a rule for join: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches RogerThat. Nothing to install.

What risk level is join? +

join is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.

Can I rate-limit join? +

Yes. Add a rate_limit block to the join rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

How do I block join completely? +

Set action: deny in the PolicyLayer policy for join. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

What MCP server provides join? +

join is provided by the RogerThat MCP server (rogerthat). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.

Enforce policy on every RogerThat tool call.

Deterministic rules across all 16 RogerThat tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

SECURE ROGERTHAT →

Free to start. No card required.

4,600+ MCP servers and 31,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.